Wireshark-dev: Re: [Wireshark-dev] Omnivorous Shark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 5 Feb 2014 01:32:00 -0800
On Feb 5, 2014, at 12:21 AM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:

> I am thinking about formats without any magic numbers - format that
> beginning with first packet, like binary Logcat/Logger
> (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8279) or raw
> media file like file contains only SBC frames (see "libsbc"), etc
> (formats without header).
> 
> And fact that Wireshark do not only check magic bytes, but try all
> open routine

Wireshark *doesn't* try all open routines - once an open routine returns success, it stops.

And it tries the magic number ones before the heuristics (this is by design and is what is intended).

> is great feature (if magic bytes is ok, but payload is not)

If the magic number is OK, but they payload is not, the probability is extremely high that you have a corrupted file, and forcing Wireshark to treat the file as being of another file format won't help.

As far as I know, we've *never* had a problem with files of some non-magic-number format incorrectly being recognized as a file of some type with a magic number; all the problems we've seen have, not surprisingly, been with files that don't have magic numbers.