Re: Fileshark (AKA Dissecting Files with Wireshark)

[Gilbert Ramirez <gram () alumni rice edu>]

One thing that comes to mind about how a FileShark GUI should be different
from a WireShark GUI is the amount of data that should / can be shown.

In my job, I often analyze ELF files. Very big ELF files. One thing I'd
like to do in FileShark is to read them, look at the various headers, but
not have it show me all the data in each ELF section by default. Because,
they are huge, and I don't need a hexdump of megabytes of data I don't care
about.

maybe it's just a matter of not using the "data" dissector.... but then
again, I wouldn't want the hexdump pane to have to show gigabytes of raw
data.

I think that's a key difference; wireshark will show all data, because each
packet is relatively small. But there can be megabytes of data in a file
that could be to difficult to show as a single "packet"

Gilbert



On Thu, Jun 20, 2013 at 11:57 PM, Michal Labedzki <michal.labedzki () tieto com
> wrote:

> Hi,
> I think that presented idea is good news.
> So question from my side:
>
> 1. Why separate application? ("Shared") Code maintenance should be easier
> in one application (no copy of any code). I guess there will be only some
> cosmetic changes in present file instead of protocol:
> a) no Packet List (because it is one "Packet", let call it "Block")
> b) "Packet" Details + "Packet" Bytes seems to be everything what we need
> at all
> c) it is good to have: "Preview", but this may be hard. Preview PNG, BMP,
> GIF, JPG or MP3 is easy (and TXT)... but ODF, DOC, PDF may be hard
> [external library?using dlopen may be good way], and ELF, EXE preview is
> probably impossible (everything is possible, maybe someone want to add
> processor emulator :) [Joke: Than create WiresharkOS :)])
>
> I guess Wireshark may change only part of it behaviour when opening file.
> Something like changing Preferences -> User Interface -> Layout -> Panes.
>
> 2. What will be different between show file by Wireshark and Fileshark (As
> I understand protocol dissector can call file dissector, so what I lose
> when I do that?)
>
> 3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark
> will be easy to firstly dissect it by file dissector and then call protocol
> dissector: in results everything is in place. In Fileshark we dissect, for
> example PCAP format, and see undecoded block?
>
> 4. What about streams? For example Android Binary (Logcat/Logger) logs
> come as never-ending stream. Also Linux Kernel Messages (aka /dev/kmsg)
> [note: I finish work in PCAP and Wireshark]. Where is right place for it? I
> guess in Wireshark because we can capture then in the same way like
> Bluetooth, USB, network packets. Probably only different is most
> "interfaces" like this will be unidirectional (for example: kernel
> message -> buffer, but not buffer -> kernel).
>
> 5. I guess Wireshark may need button(s) in Packet Details. First button
> may be "Decode file", second "Extract File". First button will be nice on
> Wireshark performance, because I do not think everyone want to dissect each
> MP3 in network stream...
>
> 6. Can we modify file in FileShark? I think "Packet Editor" do that now
> (ok, now it is broken, but normally it is work fine for me).
>
> By the way, could anyone show me what Fileshark may have what Wireshark
> have not? (Which file format need something different in handling?)
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe