Ethereal-users: [Ethereal-users] change in tcp follow stream "save as"

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Ron Norton" <RNorton@xxxxxxxxxxxxxx>
Date: Sat, 5 Feb 2005 09:35:12 -0800
Title: change in tcp follow stream "save as"

We have been using ethereal on W2k (comments below also hold for XP though) for a long time [0.8.x and up].

One of the unique and very useful features in our situation is the "tcp follow stream".  This is a great aid because it has allowed following a set of frames connected to a job whose aggregated, intact, packet data content we needed to be able to use for diagnosis by resending the data content.

Often that content of interest in our case is a mix of both ASCII and binary.  The windows driver for some of the devices we manufacture happens to output a PCX image in various situations.

For ethereal 0.9.7 through 0.10.3 selecting an associated group of job frames for a "tcp follow stream" then shows in the ASCII display mode both ASCII content and either periods or in some cases a 7 bit rendition of an 8 bit character, which is fine. 

For ethereal 0.9.7-0.10.3 using "save as" on such an ASCII tcp follow stream display produces a saved file that has both the ASCII and binary data intact.  In our case, using a binary editor on the saved file then allowes recovery and viewing of the embedded-in-job pcx image for correctness.

0.10.4 generally works the same way, but has some problems and produces a slightly different file outcome, but the ASCII+binary feature is still intact in the saved-as file output, and for our purpose still is still workable.

For 0.10.5 through 0.10.9 the "tcp follow stream, save as.." has been changed, either intentionally or unintentionally. 

What occurs in the "save as" file output from 0.10.5 and up is that the characters displayed in the ASCII display are what you get in the "save as file".  This means a null, for example, gets saved in the file as a 2E, because a 2E, or the period, is used in the ASCII display for a non-printable value which destroys it's utility to us.

My questions:
-- is/was this "save as.." behavior change intentional, or
-- is there a means to work around this I am not aware of in 0.10.5 and up, or?

Any feedback from anyone would be greatly appreciated.  Clearly we'd like to be able to take advantage of the newer build features/fixes as the come also.  Right now, have to keep two versions installed.

Ron Norton