Ethereal-users: [Ethereal-users] Trace corrupted when using Save As

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx
Date: Tue, 9 Apr 2002 17:08:34 +0100
Hi All,

A colleague and I discovered a very nasty bug today.  If you specify a save
file before you begin capturing and then "Save-As" to the same file in a
different format the output trace and trace stored in memory and disk is
corrupted. The timestamps appear OK but the MAC addresses are all 0's and
the decode is "[Malformed Packet]".

To reproduce:
1) Select Capture/Start 
2) Enter a file name in the "Capture File(s)" section (eg "d:\mytrace.trc")
3) Select OK, Capture some packets and stop the trace 
4) Select File/Save As
5) Enter the exact same file name in the "Selection"
6a) If you select "File type" as libpcap and select OK
This results in an error: "The file "D:\mytrace.trc" is not a capture file
in a format Ethereal understands".
or 
6b) If you select "File type" as Network Associated Sniffer (DOS based)" and
select OK
This corrupts the current trace in memory and also the file on disk.

Here's a before and after extract using tethereal:
D:\>tethereal -n  -r splat.trc
  1   0.000000  10.17.1.249 -> 128.150.0.11 SNMP RESPONSE
  2   0.001197 128.150.0.11 -> 10.17.1.249  SNMP GET-NEXT
  3   0.001773  10.16.1.249 -> 128.150.0.10 SNMP RESPONSE
  4   0.002233 128.150.0.10 -> 10.16.1.249  SNMP GET
  5   0.010258 00:04:ac:64:7d:28 -> c0:00:ff:ff:ff:ff TR MAC Standby Monitor
Present

D:\>tethereal -n  -r splat.trc
  1   0.000000 00:00:00:00:00:00 -> 00:00:00:00:00:00 TR MAC Response
  2   0.001197 00:00:00:00:00:00 -> 00:00:00:00:00:00 TR MAC Response
  3   0.001773 00:00:00:00:00:00 -> 00:00:00:00:00:00 TR MAC Response
  4   0.002233 00:00:00:00:00:00 -> 00:00:00:00:00:00 TR MAC Response
  5   0.010258 00:00:00:00:00:00 -> 00:00:00:00:00:00 TR MAC Response

Saving to any other file does not show this problem.

May I recommend:
1) Ethereal should work as the user intended or should disallow a save-as to
an active file. 
2) Ethereal should prompt whether it is OK to overwrite an existing file. 
3) Perhaps, also the "Capture File(s)" should include a "File Type" option
to prevent this sort of mix-up in the first place.

My config:
WinPCap 2.3
Ethereal 0.9.2
Windows NT 4.0 SP6

If anyone can reproduce this, could they suggest a method by which we can
undo the trace corruption? [If you can do that are you able to turn sausages
into pigs too? :-) ]

Thanks in advance

Alistair
> ----------------------------------------------------------------------
> Alistair McGlinchy,           alistair.mcglinchy@xxxxxxxxxxxxxxxxxxxxx
> Sizing and Performance, Central IT,   ext. 5012,   ph +44 20 7268-5012
> Marks and Spencer, 3 Longwalk Rd, Stockley Park, Uxbridge UB11 1AW, UK 
> 


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422 
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services Limited, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.