WildPackets' EtherHelp appears to write EtherPeek-compatible files,

except that the 0x80 bit is turned on in the file version number field. Turn that bit off before processing that field. svn path=/trunk/; revision=9342
2003-12-18 03:43:40 +00:00 · 2003-12-18 03:43:40 +00:00 · a98aa75a58
parent 7725f5e92d
commit a98aa75a58
6 changed files with 37 additions and 21 deletions
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-$Id: README,v 1.62 2003/10/31 08:15:14 guy Exp $
+$Id: README,v 1.63 2003/12/18 03:41:00 guy Exp $

 General Information
 ------- -----------
@ -96,7 +96,7 @@ Microsoft Network Monitor
 AIX's iptrace
 Cinco Networks NetXRray
 Network Associates Windows-based Sniffer
-AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek
+AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp
 RADCOM's WAN/LAN Analyzer
 Lucent/Ascend access products
 HP-UX's nettl
--- a/doc/editcap.pod
+++ b/doc/editcap.pod
@ -29,12 +29,13 @@ B<LANalyzer> captures, Network General/Network Associates DOS-based
 B<Sniffer> (compressed or uncompressed) captures, Microsoft B<Network
 Monitor> captures, files from AIX's B<iptrace>, Cinco Networks
 B<NetXRay> captures, captures from Network Associates Windows-based
-B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>
-captures, captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
-router debug output, files from HP-UX's B<nettl>, the dump output from
-B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD
-project, the output in B<IPLog> format from the Cisco Secure Intrusion
-Detection System, B<pppd logs> (pppdump format), the output from VMS's
+B<Sniffer>, AG Group/WildPackets
+B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp> captures, captures
+from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
+files from HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN
+routers, the output from B<i4btrace> from the ISDN4BSD project, the
+output in B<IPLog> format from the Cisco Secure Intrusion Detection
+System, B<pppd logs> (pppdump format), the output from VMS's
 B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from
 the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
 Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output
--- a/doc/ethereal.pod
+++ b/doc/ethereal.pod
@ -47,12 +47,13 @@ Novell B<LANalyzer> captures, Network General/Network Associates
 DOS-based B<Sniffer> (compressed or uncompressed) captures, Microsoft
 B<Network Monitor> captures, files from AIX's B<iptrace>, Cinco Networks
 B<NetXRay> captures, captures from Network Associates Windows-based
-B<Sniffer>, AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>
-captures, captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
-router debug output, files from HP-UX's B<nettl>, the dump output from
-B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD
-project, the output in B<IPLog> format from the Cisco Secure Intrusion
-Detection System, B<pppd logs> (pppdump format), the output from VMS's
+B<Sniffer>, AG Group/WildPackets
+B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp> captures, captures
+from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
+files from HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN
+routers, the output from B<i4btrace> from the ISDN4BSD project, the
+output in B<IPLog> format from the Cisco Secure Intrusion Detection
+System, B<pppd logs> (pppdump format), the output from VMS's
 B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities, the text output from
 the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
 Networks' Visual UpTime, the output from B<CoSine> L2 debug, the output
--- a/doc/mergecap.pod
+++ b/doc/mergecap.pod
@ -26,9 +26,9 @@ captures, Network General/Network Associates DOS-based B<Sniffer>
 (compressed or uncompressed) captures, Microsoft B<Network Monitor>
 captures, files from AIX's B<iptrace>, Cinco Networks B<NetXRay>
 captures, captures from Network Associates Windows-based B<Sniffer>, AG
-Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek> captures,
-captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router
-debug output, files from HP-UX's B<nettl>, the dump output from
+Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp>
+captures, captures from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend>
+router debug output, files from HP-UX's B<nettl>, the dump output from
 B<Toshiba's> ISDN routers, the output from B<i4btrace> from the ISDN4BSD
 project, the output in B<IPLog> format from the Cisco Secure Intrusion
 Detection System, B<pppd logs> (pppdump format), the output from VMS's
@ -42,7 +42,7 @@ need to tell B<Mergecap> what type of file you are reading; it will
 determine the file type by itself.  B<Mergecap> is also capable of
 reading any of these file formats if they are compressed using gzip. 
 B<Mergecap> recognizes this directly from the file; the '.gz' extension
-is not required for this purpose. 
+is not required for this purpose.

 By default, it writes the capture file in B<libpcap> format, and writes
 all of the packets in both input capture files to the output file.  The
--- a/doc/tethereal.pod
+++ b/doc/tethereal.pod
@ -50,8 +50,8 @@ General/Network Associates DOS-based B<Sniffer> (compressed or
 uncompressed) captures, Microsoft B<Network Monitor> captures, files
 from AIX's B<iptrace>, Cinco Networks B<NetXRay> captures, captures from
 Network Associates Windows-based B<Sniffer>, AG Group/WildPackets
-B<EtherPeek>/B<TokenPeek>/B<AiroPeek> captures, captures from
-B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
+B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp> captures, captures
+from B<RADCOM>'s WAN/LAN analyzer, B<Lucent/Ascend> router debug output,
 files from HP-UX's B<nettl>, the dump output from B<Toshiba's> ISDN
 routers, the output from B<i4btrace> from the ISDN4BSD project, the
 output in B<IPLog> format from the Cisco Secure Intrusion Detection
--- a/wiretap/etherpeek.c
+++ b/wiretap/etherpeek.c
@ -2,7 +2,7 @@
 * Routines for opening EtherPeek (and TokenPeek?) files
 * Copyright (c) 2001, Daniel Thompson <d.thompson@gmx.net>
 *
- * $Id: etherpeek.c,v 1.24 2003/10/01 07:11:46 guy Exp $
+ * $Id: etherpeek.c,v 1.25 2003/12/18 03:43:40 guy Exp $
 *
 * Wiretap Library
 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@ -163,6 +163,20 @@ int etherpeek_open(wtap *wth, int *err)
 		&ep_hdr.master, sizeof(ep_hdr.master), wth->fh, err);
 	wth->data_offset += sizeof(ep_hdr.master);

+	/*
+	 * It appears that EtherHelp (a free application from WildPackets
+	 * that did blind capture, saving to a file, so that you could
+	 * give the resulting file to somebody with EtherPeek) saved
+	 * captures in EtherPeek format except that it ORed the 0x80
+	 * bit on in the version number.
+	 *
+	 * We therefore strip off the 0x80 bit in the version number.
+	 * Perhaps there's some reason to care whether the capture
+	 * came from EtherHelp; if we discover one, we should check
+	 * that bit.
+	 */
+	ep_hdr.master.version &= ~0x80;
+
 	/* switch on the file version */
 	switch (ep_hdr.master.version) {