Home page logo

wireshark logo Wireshark mailing list archives

Re: Fileshark (AKA Dissecting Files with Wireshark)
From: Michal Labedzki <michal.labedzki () tieto com>
Date: Mon, 24 Jun 2013 09:04:20 +0200

On 21 June 2013 19:54, Gilbert Ramirez <gram () alumni rice edu> wrote:

One thing that comes to mind about how a FileShark GUI should be different
from a WireShark GUI is the amount of data that should / can be shown.

In my job, I often analyze ELF files. Very big ELF files. One thing I'd
like to do in FileShark is to read them, look at the various headers, but
not have it show me all the data in each ELF section by default. Because,
they are huge, and I don't need a hexdump of megabytes of data I don't care

maybe it's just a matter of not using the "data" dissector.... but then
again, I wouldn't want the hexdump pane to have to show gigabytes of raw

Ok, so you need to change UI Pane Layout only (Packet Bytes set to None).
But for me File/Packet Bytes is very useful (Packet List is not useful...
it can be close too.

On 21 June 2013 19:56, Guy Harris <guy () alum mit edu> wrote:

Whether, in Fileshark, the contents of packet records should be dissected
as packets is a good point for discussion.

Or maybe another way: Add possibility to "filter" Packet Details pane to
the Wireshark. This will be useful for network protocols too, because
protocols can have huge Packet Details pane (for example there is item
list, like WLAN tags; feature bitmask list etc.). I think on something like
find system in Kate editor, Firefox (CTRL+F) and KDE Dolphin CTRL+I file
filtering (for me everything what I need is highlight searched item)

On 21 June 2013 19:56, Guy Harris <guy () alum mit edu> wrote:

3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark
will be easy to firstly dissect it by file dissector

Possibly, possibly not.  If a file dissector can do *everything* that a
libwiretap module can (including supporting random access), and not show
the user the details of how packets happen to be represented in this
particular file format (which isn't interesting to somebody looking at
network traffic), then yes, otherwise no.

I guess interesting option can be:
1. Dissect on demand (button "Dissect payload" (like "Dissect File"))
2. File -> "Open as" - because we can open for example PCAP file in two
ways: File or Packet. This can be Holy Grail for somebody who have problem
opening with heuristics protocols (like mp2t)

Pozdrawiam / Best regards
Michał Łabędzki, Software Engineer
Tieto Corporation

Product Development Services
http://www.tieto.com / http://www.tieto.pl
ASCII: Michal Labedzki
location: Swobodna 1 Street, 50-088 Wrocław, Poland
room: 5.01 (desk next to 5.08)
Please note: The information contained in this message may be legally
privileged and confidential and protected from disclosure. If the reader of
this message is not the intended recipient, you are hereby notified that
any unauthorised use, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer. Thank You.
Please consider the environment before printing this e-mail.
Tieto Poland spółka z ograniczoną odpowiedzialnością z siedzibą w
Szczecinie, ul. Malczewskiego 26. Zarejestrowana w Sądzie Rejonowym
Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy Krajowego Rejestru
Sądowego pod numerem 0000124858. NIP: 8542085557. REGON: 812023656. Kapitał
zakładowy: 4 271500 PLN
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]