Wireshark mailing list archives

Re: opening JPEG/JFIF files with Wireshark?

From: Németh Márton <nm127 () freemail hu>
Date: Sat, 17 Oct 2009 18:49:33 +0200

Hi,
Guy Harris wrote:

On Oct 12, 2009, at 1:30 PM, Németh Márton wrote:

as some wiki pages show ( http://wiki.wireshark.org/JPEG_JFIF and
http://wiki.wireshark.org/TCP_Reassembly at Chapter Example) Wireshark
understands the JPEG/JFIF file.

Is there any way to open a raw JPEG/JFIF file similar to how the MP3
files can be opened? I guess something has to be done for this at
the capture file formats. Where should I start?


The wiretap subdirectory; that's where the capture file format stuff  
is done.

You would need to add a WTAP_ENCAP_JPEG_JFIF value to the list of  
WTAP_ENCAP_ values in wtap.h, and add an entry to the  
encap_table_base[] table in wtap.c.

As I remember, JPEG/JFIF files begin with a "magic number" signature,  
which is good - it means Wiretap can look for that signature to  
determine whether a file is a JPEG/JFIF file or not.  You'd write a  
jpeg_jfif.c file with routines to support opening and reading those  
files; the open routine would look for the magic number and return 1  
if the file is a JPEG/JFIF file, 0 if it's not, or -1 on an error.   
You'd put an entry for that routine in the open_routines_base[] table  
in file_access.c; it would be one of the files with "magic bytes in  
fixed locations".

You'd then have the JPEG/JFIF dissector register itself in the  
"wtap_encap" table with the WTAP_ENCAP_JPEG_JFIF value.

Note, however, that there's a limit of 64K on the size of a packet  
that can be returned by Wiretap, so you'd either have to cut the file  
data off at 64K, or supply each block as a separate "packet" and have  
a JPEG/JFIF "file" dissector reassemble those, with the "file"  
dissector registering with WTAP_ENCAP_JPEG_JFIF.


Thank you for the detailed description. With the help of your description
and the description at wiretap/README.developer I could create a patch
which can open JPEG/JFIF files directly from the disk:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4136

However, I have have some crashes with some JPEG files and I don't know
from where it comes from.

Regards,

        Márton Németh
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

opening JPEG/JFIF files with Wireshark? Németh Márton (Oct 12)
- Re: opening JPEG/JFIF files with Wireshark? Guy Harris (Oct 12)
  - Re: opening JPEG/JFIF files with Wireshark? Németh Márton (Oct 17)