Ethereal-users: Re: [Ethereal-users] Problem with -w - on Windows 2000

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Urwin <richard@xxxxxxxxxxxxxxx>
Date: Sat, 24 Apr 2004 19:42:53 +0100
On Saturday 24 Apr 2004 1:30 am, Joe Marcus Clarke wrote:
> I'm spawning tethereal-0.10.3 in Java on Windows 2000 SP4.  I'm
> reading bytes from stdout, and writing them to a file.  The resulting
> capture file is corrupt.  It either claims to have been truncated in
> mid-packet, or it claims that one packet far exceeds the max capture
> size of 65535.
>
> I thought this must have something to do with my Java code (even
> though it works fine on Solaris and FreeBSD).  So I took the same
> command line, and did a simple redirect to a file:
>
> tethereal -s 65535 -w - > outfile
>
> The resulting outfile has the same problem.  Again, this command
> works fine on Solaris and FreeBSD (and I assume all flavors of UNIX).
>  I've tried both WinPcap 2.3 and 3.0, and both exhibit the same
> behavior.  If needed, I can produce one of the bad capture files. 
> However, I think this is pretty reproduceable as it's now happened on
> two different Windows 2000 machines.

Binary / text mode? If the file is written in text mode it will be 
corrupt on Windows but OK in *nix. Check by opening the file in a hex 
editor and finding CR LF (0D 0A) in pairs.

> I searched the archives, but didn't find anything relating to this.
> Ideally, what I'd like to be able to do is use -w <filename>, but
> Process.destroy() (in Java) calls TerminateProcess() on Windows, and
> this doesn't give tethereal a chance to flush its output buffer.  If
> tethereal flushed after each packet that might do it, but it only
> seems to do that if the output file is stdout.  Any advice would be
> greatly appreciated.  Thanks.

As a general fix that would slow down tethereal, but it would be OK as a 
command-line option.

-- 
Richard Urwin