Home page logo
/

wireshark logo Wireshark mailing list archives

Re: About "New Export Objects" --GSoC 2013
From: Guy Harris <guy () alum mit edu>
Date: Sat, 27 Apr 2013 23:27:55 -0700


On Apr 27, 2013, at 11:12 PM, "jin.huang" <54jin.huang () gmail com> wrote:

The wireshark export obects function can export png/jpeg/text... file from the http packet stream .But ,how do 
wireshark konw the exact file format from the frame data?

For HTTP:

        Part of the data in that frame or a previous frame is an HTTP response or request, which probably contains a 
Content-Type header.  The Content-Type header includes the media type of the body of the response or request, which 
indicates the data type of the object.  Wireshark might, however, only use that to determine whether the format should 
be thought of as text or binary data.

For SMB:

        Wireshark, as far as I know, just dumps out the raw bytes transferred by read and write requests.

For DICOM:

        I don't know whether the DICOM protocol specifies the types of the objects being transferred.  If not, 
Wireshark may just dump out the raw bytes.

Ultimately, however, what matters is only whether the data is text or not.  If it's text, then Wireshark should 
probably converting the line endings to the line endings appropriate for the OS on which it's running (CR-LF for 
Windows, LF for all flavors of UN*X).  If it's binary, it should just dump out the raw bytes of the file.  That might 
be all that Wireshark does, if it even handles text specially.  Files on both UN*X and Windows are just seekable byte 
streams, without a file format indicator, so Wireshark doesn't need to know the file format - all it could do with the 
file format is choose a default file extension.

For FTP, you could determine whether the file is text or binary only by seeing enough of the FTP session to see a TYPE 
command issued.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault