[ntar-workers] Re: Bug in http.cap.ntar file?!?
Ulf Lamping
ulf.lamping at web.de
Tue Oct 9 19:43:47 GMT 2007
Hi List!
This was a ntar related discussion between me and Gianluca about ntar
development and inclusion into Wireshark. I'll CC this to the
ntar-workers list from now to find a point to sync this discussion into
this list. I guess you won't understand much right now, but this
hopefully will clarify the next days as I expect more Mails ...
I'm currently implementing an ntar / pcapng implementation for inclusion
into Wireshark ...
Gianluca send me an example ntar capture file and there's discussion
about it, so let the mails flow now .............
Gianluca Varenni schrieb:
> I just checked the NTAR implementation of this. And the value does not
> get aligned.
Which I guess is the bug.
> The specification doesn't actually say the Block Total Length field
> should be 32bit aligned.
Ack
> Section 2.1 (General Block Structure) says that the Block Body should
> be 32bit aligned (Figure 1). But it doesn't say anything about the
> Block Total Length. I can be wrong, but the Block Total Length should
> not actually account for the padding bytes at all. Without that, there
> is no way to understand if the Block Body contains an alignment or not
> (the only way would be to decode the Block Body itself).
>
> Does it make sense to you?
Unsure ;-) There is no ambitious thing I can see here! Section "2.1.
General Block Structure" states that a block starts with "Block Type"
and ends with the *second* "Block Type Length" - after that block. So
this means that the "Block Body" is always 32 bit aligned regardless of
the block content and therefore the "Block Total Length" *must be* a
multiple of 4.
Or do we speak about the same thing? ;-)
>
> Having said that, the trace I sent you is wrong in any case, as the
> packet block itself includes the padding. I think I found the bug in
> the ntar code and fixed it. Attached you can find a new version of the
> trace file.
I'll have a look tomorrow ...
>
> PS: I finally have someone finding the bugs in the ntar library by
> using a different pcapng implementation :-)
I thought about the same - so implementing it a second time is at least
not a waste of it ;-)))
Regards, ULFL
More information about the ntar-workers
mailing list