Wireshark-dev: Re: [Wireshark-dev] opening JPEG/JFIF files with Wireshark?
From: Guy Harris <[email protected]>
Date: Mon, 12 Oct 2009 14:30:43 -0700
On Oct 12, 2009, at 1:30 PM, Németh Márton wrote:

as some wiki pages show ( http://wiki.wireshark.org/JPEG_JFIF and
http://wiki.wireshark.org/TCP_Reassembly at Chapter Example) Wireshark
understands the JPEG/JFIF file.

Is there any way to open a raw JPEG/JFIF file similar to how the MP3
files can be opened? I guess something has to be done for this at
the capture file formats. Where should I start?
The wiretap subdirectory; that's where the capture file format stuff  
is done.
You would need to add a WTAP_ENCAP_JPEG_JFIF value to the list of  
WTAP_ENCAP_ values in wtap.h, and add an entry to the  
encap_table_base[] table in wtap.c.
As I remember, JPEG/JFIF files begin with a "magic number" signature,  
which is good - it means Wiretap can look for that signature to  
determine whether a file is a JPEG/JFIF file or not.  You'd write a  
jpeg_jfif.c file with routines to support opening and reading those  
files; the open routine would look for the magic number and return 1  
if the file is a JPEG/JFIF file, 0 if it's not, or -1 on an error.   
You'd put an entry for that routine in the open_routines_base[] table  
in file_access.c; it would be one of the files with "magic bytes in  
fixed locations".
You'd then have the JPEG/JFIF dissector register itself in the  
"wtap_encap" table with the WTAP_ENCAP_JPEG_JFIF value.
Note, however, that there's a limit of 64K on the size of a packet  
that can be returned by Wiretap, so you'd either have to cut the file  
data off at 64K, or supply each block as a separate "packet" and have  
a JPEG/JFIF "file" dissector reassemble those, with the "file"  
dissector registering with WTAP_ENCAP_JPEG_JFIF.