Re: [Ethereal-users] problem with imap sample capture

[Guy Harris <gharris@xxxxxxxxx>]

On Tue, Sep 03, 2002 at 12:19:15AM -0700, praveen wrote:
>       I downloaded the sample captures available on the site but the IMAP file
> gave me an error saying that the file imap.cap.gz applears to be corrupt. DOes
> anyone else also have the same problem?

Yes, there appears to be something wrong with frame 8 of the capture.

There's an extra 0x4f after the CR LF at the end of the line, *and* the
TCP checksum is incorrect, but if the length in the IP header is to be
believed, *some* extra byte after the CR LF really is there - and the
checksum on the IP header is correct, *and* the TCP sequence numbers are
consistent with that byte being there.

If, however, you assume that the 0x4f is really part of the per-packet
libpcap record header, then the subsequent packets are valid.

So perhaps one byte got deleted from the capture file in the TCP
payload.

Given that the frame in question is an IMAP login, and contains what I
suspect was Nathan Neulinger's IMAP password, I suspect the problem may
have been that an attempt to X-out his password before submitting the
capture to the zoo deleted a character from that password.

Inserting an "X" back into the password string fixes most of the
problems, but the password is still incorrect - not surprising if the
original packet had a real password rather than "XXXXXX".