gelf-payload-decode tcpdump-x parser bad?

Question

wdoekes opened this issue 2 years ago · comments

Does this read the end of packets correctly? Or should that be {2,39}?

Walter Doekes · Answer 1 · Tue Jul 11 2023 17:22:46 GMT+0800 (China Standard Time)

It's fine. A trailing log might look like:

	0x0030:  9894 491e                                ..I.
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In that case we still match 39 chars.

Only for -x dumps (only hex) -- instead of -X (hex+ascii) -- would this be an issue. But nobody uses those.