Wireshark-dev: Re: [Wireshark-dev] Fileshark (AKA Dissecting Files with Wireshark)
From: Michal Labedzki <[email protected]>
Date: Fri, 21 Jun 2013 08:57:47 +0200
Hi,
I think that presented idea is good news.
So question from my side:

1. Why separate application? ("Shared") Code maintenance should be easier in one application (no copy of any code). I guess there will be only some cosmetic changes in present file instead of protocol:
a) no Packet List (because it is one "Packet", let call it "Block")
b) "Packet" Details + "Packet" Bytes seems to be everything what we need at all
c) it is good to have: "Preview", but this may be hard. Preview PNG, BMP, GIF, JPG or MP3 is easy (and TXT)... but ODF, DOC, PDF may be hard [external library?using dlopen may be good way], and ELF, EXE preview is probably impossible (everything is possible, maybe someone want to add processor emulator :) [Joke: Than create WiresharkOS :)])

I guess Wireshark may change only part of it behaviour when opening file. Something like changing Preferences -> User Interface -> Layout -> Panes.

2. What will be different between show file by Wireshark and Fileshark (As I understand protocol dissector can call file dissector, so what I lose when I do that?)

3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark will be easy to firstly dissect it by file dissector and then call protocol dissector: in results everything is in place. In Fileshark we dissect, for example PCAP format, and see undecoded block?

4. What about streams? For example Android Binary (Logcat/Logger) logs come as never-ending stream. Also Linux Kernel Messages (aka /dev/kmsg) [note: I finish work in PCAP and Wireshark]. Where is right place for it? I guess in Wireshark because we can capture then in the same way like Bluetooth, USB, network packets. Probably only different is most "interfaces" like this will be unidirectional (for example: kernel message -> buffer, but not buffer -> kernel).

5. I guess Wireshark may need button(s) in Packet Details. First button may be "Decode file", second "Extract File". First button will be nice on Wireshark performance, because I do not think everyone want to dissect each MP3 in network stream...

6. Can we modify file in FileShark? I think "Packet Editor" do that now (ok, now it is broken, but normally it is work fine for me).

By the way, could anyone show me what Fileshark may have what Wireshark have not? (Which file format need something different in handling?)