OSQA is unmaintained. Help us figure out where to go from here.

Whether Wireshark will be more than protocol analyser? Currently it is, but is it official way? Wireshark can open files like MP3, JPG, GIF, PNG and XMLs. Could we treat Wireshark as "file format analyser"? Than can be added support to open text-file and binary files? Is it possible to send file format dissector? (for example ".tar", ".dll").

It will be nice to see that features.

asked 17 Apr '13, 04:50

Michal%20Labedzki's gravatar image

Michal Labedzki
31113
accept rate: 0%


Wireshark is first and foremost a protocol analyzer. But its dissection engine architecture however is so flexible that one can envision it having a higher abstraction as 'record analyzer'. These records come in from a source, being a pipe from dumpcap, a (capture) file contents from wiretap or otherwise. That is where your experiments come into view. You open, through wiretap, files containing records, which the dissection engine happen to know how to handle.

It's very important to understand the distinction between file and record format. JPEG is the record format, while JFIF is the file format (even the Joint Picture Experts Group missed this and forgot to specify JFIF). Same goes for MP3.

TLDR; At best the dissection engine in Wireshark / Tshark is a record analyzer, where Wireshark / Tshark are tailored to network protocols. File formats are just containers for records, these won't be analyzed.

permanent link

answered 17 Apr '13, 07:58

Jaap's gravatar image

Jaap ♦
11.6k16101
accept rate: 14%

Wireshark cannot open files like MP3, JPG etc, it can extract those file types from network packets contained in capture/trace files. The file formats Wireshark reads are listed here: http://wiki.wireshark.org/FileFormatReference

permanent link

answered 17 Apr '13, 04:56

Jasper's gravatar image

Jasper ♦♦
23.6k551284
accept rate: 18%

edited 17 Apr '13, 04:57

Actually:

tshark -r 01\ Don\'t\ Know\ Why.mp3 
  1 0.000000000              ->              ID3v2 4352 
  2 0.000000000     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3
  3 0.026121600     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3
  4 0.052243200     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3
  5 0.078364800     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3

[email protected]:~$ tshark -r /Applications/1Password.app/Contents/Import/images/ImportFirefoxPasswords.jpg 
  1                         ->              MIME_FILE 34863 
  2                         ->              MIME_FILE 0 
[email protected]:~$

:-)

(17 Apr '13, 05:08) SYN-bit ♦♦

Okay, learning something new every day... but what is this good for? I guess it's some sort of dissector test?

Anyway, lesson learned and documented at http://blog.packet-foo.com/2013/04/learning-something-new-every-day/ :-)

(17 Apr '13, 05:23) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×30
×15
×12
×1

question asked: 17 Apr '13, 04:50

question was seen: 1,974 times

last updated: 17 Apr '13, 07:58

p​o​w​e​r​e​d by O​S​Q​A