Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Fileshark (AKA Dissecting Files with Wireshark)
From: Michal Labedzki <michal.labedzki () tieto com>
Date: Fri, 21 Jun 2013 08:57:47 +0200

Hi,
I think that presented idea is good news.
So question from my side:

1. Why separate application? ("Shared") Code maintenance should be easier
in one application (no copy of any code). I guess there will be only some
cosmetic changes in present file instead of protocol:
a) no Packet List (because it is one "Packet", let call it "Block")
b) "Packet" Details + "Packet" Bytes seems to be everything what we need at
all
c) it is good to have: "Preview", but this may be hard. Preview PNG, BMP,
GIF, JPG or MP3 is easy (and TXT)... but ODF, DOC, PDF may be hard
[external library?using dlopen may be good way], and ELF, EXE preview is
probably impossible (everything is possible, maybe someone want to add
processor emulator :) [Joke: Than create WiresharkOS :)])

I guess Wireshark may change only part of it behaviour when opening file.
Something like changing Preferences -> User Interface -> Layout -> Panes.

2. What will be different between show file by Wireshark and Fileshark (As
I understand protocol dissector can call file dissector, so what I lose
when I do that?)

3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark will
be easy to firstly dissect it by file dissector and then call protocol
dissector: in results everything is in place. In Fileshark we dissect, for
example PCAP format, and see undecoded block?

4. What about streams? For example Android Binary (Logcat/Logger) logs come
as never-ending stream. Also Linux Kernel Messages (aka /dev/kmsg) [note: I
finish work in PCAP and Wireshark]. Where is right place for it? I guess in
Wireshark because we can capture then in the same way like Bluetooth, USB,
network packets. Probably only different is most "interfaces" like this
will be unidirectional (for example: kernel message -> buffer, but not
buffer -> kernel).

5. I guess Wireshark may need button(s) in Packet Details. First button may
be "Decode file", second "Extract File". First button will be nice on
Wireshark performance, because I do not think everyone want to dissect each
MP3 in network stream...

6. Can we modify file in FileShark? I think "Packet Editor" do that now
(ok, now it is broken, but normally it is work fine for me).

By the way, could anyone show me what Fileshark may have what Wireshark
have not? (Which file format need something different in handling?)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]