Wireshark-dev: Re: [Wireshark-dev] opening JPEG/JFIF files with Wireshark?
From: Németh Márton <[email protected]>
Date: Sat, 17 Oct 2009 18:49:33 +0200
Hi,
Guy Harris wrote:
> On Oct 12, 2009, at 1:30 PM, Németh Márton wrote:
> 
>> as some wiki pages show ( http://wiki.wireshark.org/JPEG_JFIF and
>> http://wiki.wireshark.org/TCP_Reassembly at Chapter Example) Wireshark
>> understands the JPEG/JFIF file.
>>
>> Is there any way to open a raw JPEG/JFIF file similar to how the MP3
>> files can be opened? I guess something has to be done for this at
>> the capture file formats. Where should I start?
> 
> The wiretap subdirectory; that's where the capture file format stuff  
> is done.
> 
> You would need to add a WTAP_ENCAP_JPEG_JFIF value to the list of  
> WTAP_ENCAP_ values in wtap.h, and add an entry to the  
> encap_table_base[] table in wtap.c.
> 
> As I remember, JPEG/JFIF files begin with a "magic number" signature,  
> which is good - it means Wiretap can look for that signature to  
> determine whether a file is a JPEG/JFIF file or not.  You'd write a  
> jpeg_jfif.c file with routines to support opening and reading those  
> files; the open routine would look for the magic number and return 1  
> if the file is a JPEG/JFIF file, 0 if it's not, or -1 on an error.   
> You'd put an entry for that routine in the open_routines_base[] table  
> in file_access.c; it would be one of the files with "magic bytes in  
> fixed locations".
> 
> You'd then have the JPEG/JFIF dissector register itself in the  
> "wtap_encap" table with the WTAP_ENCAP_JPEG_JFIF value.
> 
> Note, however, that there's a limit of 64K on the size of a packet  
> that can be returned by Wiretap, so you'd either have to cut the file  
> data off at 64K, or supply each block as a separate "packet" and have  
> a JPEG/JFIF "file" dissector reassemble those, with the "file"  
> dissector registering with WTAP_ENCAP_JPEG_JFIF.

Thank you for the detailed description. With the help of your description
and the description at wiretap/README.developer I could create a patch
which can open JPEG/JFIF files directly from the disk:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4136

However, I have have some crashes with some JPEG files and I don't know
from where it comes from.

Regards,

	Márton Németh