Comment # 3
on bug 9607
from Evan Huus
Haven't tried to run it or anything, so take with a grain of salt, but I think
removing wiretap from this is something we want to get right before landing
this.
As discussed in the first and second links you provide, wiretap isn't the right
way of loading files for fileshark/docshark/whatever. Different file formats
will have totally different record types, sizes, layouts; some might not even
have a record-based structure at all.
For this reason, I think architecturally the right thing to do is to present
the entire file as a single frame/tvb to libepan. This involves:
- implementing a really dumb file-backed TVB so the above doesn't require
copying the whole file into memory
- replacing all the current wiretap stuff in tfshark with just
new_file_based_tvb(filename) and dummy values for pretty much everything else
- creating some file-base.c or file-file.c to play the role packet-frame.c
plays for packets (ie "dissecting" universal fields like the filename,
providing a root heuristic dissector table etc.)
Tangentially: once this basic stuff lands I want to implement a file-pcapng.c
dissector since that will make wiretap debugging much easier. It's not really a
document format though, so I'm not sure docshark is a great name. Perhaps
binshark (although that suffers from somewhat the same problem in the case of
test-based file formats).
You are receiving this mail because:
- You are watching all bug changes.
