Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Fileshark (AKA Dissecting Files with Wireshark)
From: Guy Harris <guy () alum mit edu>
Date: Fri, 21 Jun 2013 10:56:22 -0700


On Jun 20, 2013, at 11:57 PM, Michal Labedzki <michal.labedzki () tieto com> wrote:

3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark will be easy to firstly dissect it by file 
dissector

Possibly, possibly not.  If a file dissector can do *everything* that a libwiretap module can (including supporting 
random access), and not show the user the details of how packets happen to be represented in this particular file 
format (which isn't interesting to somebody looking at network traffic), then yes, otherwise no.
 
and then call protocol dissector: in results everything is in place. In Fileshark we dissect, for example PCAP 
format, and see undecoded block?

Yes.

In Wireshark, you would see packets and possibly other records as items in the list.  You would *not* see, for example, 
any file header the file has or the underlying layout of the record headers; you'd only see the relevant data items 
from the header, and the record data, in a file-format-independent fashion.  Some records might be read by Wireshark 
but not displayed in the packet list.

In Fileshark, you would see the file header as one item, and each record as an item, showing all the record details as 
fields.  All records would be shown.

Whether, in Fileshark, the contents of packet records should be dissected as packets is a good point for discussion.

4. What about streams? For example Android Binary (Logcat/Logger) logs come as never-ending stream. Also Linux Kernel 
Messages (aka /dev/kmsg) [note: I finish work in PCAP and Wireshark]. Where is right place for it? I guess in 
Wireshark because we can capture then in the same way like Bluetooth, USB, network packets.

Yes.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault