Ethereal-users: Re: [Ethereal-users] Re: Capturing EBCDIC data

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 15 Nov 2004 23:41:14 -0800
Kurt Schroeder wrote:


Ethereal seems very good at quickly showing a capture file as ASCII in the
Follow TCP stream window, but clicking on EBCDIC seems to hang Ethereal on
my PC. It takes LOTS of CPU using only very small (1-2 MB traces.)
If it truly hangs, it takes an infinite amount of CPU; do you mean that it hangs (loops forever, no matter how long you wait), or just that it takes a really long time to complete? 


I was told in a reply that the trace files are neither ASCII nor EBCDIC,
but instead are raw binary data. If that's true,
It is entirely true. Trace files (in Ethereal's native format, libpcap format, as used originally in tcpdump, but other formats are similar) have a per-file header followed by a sequence of packets, each of which has a per-packet header giving time stamp and packet length information followed by the raw bytes of the packet as supplied by the packet capture mechanism. 


Ethereal seems to be WAY
better at rendering ASCII than it is at rendering EBCDIC.
Ethereal renders the text of a TCP stream using a GTK+ text widget; given that Ethereal is running on an OS whose native character set is ASCII (I know of no OS/390 or zOS port, or ports to other OSes that use EBCDIC; it runs on ASCII UN*Xes and Windows), that widget's native character set is ASCII, not EBCDIC.
Rendering ASCII text means checking for non-printable characters and showing them as ".", and showing printable characters as themselves.
Rendering EBCDIC text means translating EBCDIC characters into their ASCII equivalents and then doing the above.
In addition, Ethereal's default display format for TCP streams is ASCII, so to display as EBCDIC requires a redisplay. For a large stream, clearing the text widget before inserting the new text can take a significant amount of time (for a 6.6Mb stream, it took about 6.4 seconds on my 1.5MHz PowerPC-based UNIX workstation). In addition, it appears it does that *twice*.
The difference in time between displaying ASCII and displaying EBCDIC is a lot bigger than I'd naively expect from the table lookup used for the translation; there might be ways to improve it. Not processing the stream twice would probably help as well.
It's still not going to be *as* fast, as it has to map from the non-native EBCDIC character set to the native ASCII character set.