Wireshark · Ethereal-dev: Re: [Ethereal-dev] EtherHelp packets almost readable

Ethereal-dev: Re: [Ethereal-dev] EtherHelp packets almost readable - to fix -> change one byte

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 17 Dec 2003 12:19:29 -0800


On Dec 16, 2003, at 9:53 PM, Andrew Johns wrote:

[Just banging my head against a wall trying to decode capture files
produced by an old version of etherpeek (called EtherHelp).

A Google search for "etherhelp" found a product datasheet for EtherHelpon the WildPackets Web site:


	http://www.wildpackets.com/elements/EtherHelp.pdf

but it says:

EtherHelp, a subset of EtherPeek(TM), our fullfeatured network andprotocol analysis software,

is a blind-packet capture application specifically

designed to help EtherPeek users who support and troubleshoot networksto obtain information from

a remote network without having to be on location.

rather than saying it's an old version of EtherPeek. Another page forEtherHelp:


	http://www.wildpackets.com/products/etherhelp

says

	For Macintosh

EtherHelp is a powerful and freely distributed remote packet captureapplication specifically designed to help people who design, build,manage and support multi-protocol, multi-topology networks analyze whatis happening on a LAN or WAN without having to visit that location.

EtherHelp works by capturing all network traffic, or a specifiedportion of that traffic, in the form of packets. Packets captured arenot displayed in EtherHelp, but can be saved in a file, which can thenbe accessed by or forwarded to support personnel for analysis byEtherPeek, which can display the saved packets.

A quick diff shows that only the first byte of the file changes - andin awell-formed manner, in that the first character of the etherhelp fileis
char(135) (135=128+7) vs the first char of the etherpeek file which is
char(7)....

At least according to the Ethereal code to read *Peek captures, thefirst byte of the file is a version number; it sounds as if the firstbyte of your capture was 0x80|7, and removing the 0x80 leaves 7, whichis a newer version number for *Peek capture files - there's code toread older versions, so I'm a bit skeptical that EtherHelp was an olderversion of EtherPeek (and WildPackets' documentation suggests that itisn't).

Perhaps the 0x80 bit means "captured by EtherHelp", in which case theEthereal code should perhaps strip the 8th bit from the first bytebefore checking it, and tread the result of that as the file versionnumber.


Do you have an EtherHelp capture on which I can test that?

Follow-Ups:
- Re: [Ethereal-dev] EtherHelp packets almost readable - to fix -> change one byte
  - From: Guy Harris

References:
- [Ethereal-dev] EtherHelp packets almost readable - to fix -> change one byte
  - From: Andrew Johns

Prev by Date: [Ethereal-dev] plugins/Makefile.nmake: added missing rule for v5ua plugin
Next by Date: [Ethereal-dev] Problems with "Save Highlighted Data..."
Previous by thread: [Ethereal-dev] EtherHelp packets almost readable - to fix -> change one byte
Next by thread: Re: [Ethereal-dev] EtherHelp packets almost readable - to fix -> change one byte
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$