[ntar-workers] Seekable file layouts etc

Gianluca Varenni gianluca.varenni at gmail.com
Fri Jul 8 15:48:41 GMT 2005 

----- Original Message ----- 
From: "Christian Kreibich" <christian at whoop.org>
To: "NTAR workers" <ntar-workers at winpcap.org>
Sent: Thursday, July 07, 2005 1:02 PM
Subject: Re: [ntar-workers] Seekable file layouts etc


> On Thu, 2005-07-07 at 09:25 -0700, Gianluca Varenni wrote:
>>
>> What do you mean by "special magic for SPB headers?" SPB is the simple
>> packet block (so a "normal" block), and it should have nothing to do with
>> synchronization.
>
> I think you can use any kind of header implicitly for testing whether
> you are back in sync with the flow of blocks, by applying best-possible
> heuristics and attempting to walk the block sequence per
> tcpslice/libpcapnav's approach.
>
>> In any case, it would be interesting to have some mechanism to 
>> resynchronize
>> a tracefile obtained out of truncated captures, I don't know if it's so 
>> easy
>> (basically you need to find a new SHB where you were expecting the data 
>> of a
>> block).
>
> I think once you detect corruption you simply have to start from the
> last valid block and do a byte-by-byte scan and test whether the
> parseable sequence of blocks looks decent, per the above. From that you
> should be able to fix the block size fields in situ to restore correct
> sequencing (if you don't want to duplicate a 5GB trace), or ...

If you can do this only if the corrupted block size is a multiple of 32 
bits. Every block is aligned to 32 bits, and the block size in the header 
tells the actual size of the block (i.e. without the padding used to reach a 
32bit aligned block). In any case, such corrupted block should be marked as 
garbage using some reserved block type (in order to avoid headaches when 
dissecting such blocks).

Have a nice day
GV

>
>> You basically use this mode to take the corrupted trace file and
>> regenerate a good trace file (cutting out all the garbage).
>
> ... do as you say, if performance allows it.



>
> Cheers,
> Christian.
> -- 
> ________________________________________________________________________
>                                          http://www.cl.cam.ac.uk/~cpk25
>                                                    http://www.whoop.org
>
>
> _______________________________________________
> ntar-workers mailing list
> ntar-workers at winpcap.org
> https://www.winpcap.org/mailman/listinfo/ntar-workers

More information about the ntar-workers mailing list