On Jan 31, 2014, at 11:45 AM, mmann78@xxxxxxxxxxxx wrote:
> Without looking at the details of the patch, my thoughts are:
>
> 1. I like the fact that a "workaround" has been created for insufficient heuristics. I just hope it doesn't have the unintended consequence of weaker heuristics being created.
Yeah that worries me too... that users would resort to using this feature instead of filing bugs or posting the problem on ask.wireshark.org, and we’d never find out we need to tighten some heuristic or tweak the order. But the reality is some of the file types just don’t have enough disparity to make the heuristic ordering anything more than an educated guess which fails sometimes. :(
> 2. What I don't like is getting non capture file support (hooks) "for free", therefore having Wirehark support non capture file types (outside of the handful that commonly come across network protocols). I've been (slowly) working on separating "Fileshark" functionality from Wireshark with the distinct difference of "capture file" vs "non-capture file" (or treating capture file as binary). Yes, writing a new GUI for non-capture files will be an arduous task (which is why I started with a command line interface to work out the architecture), but I still believe we want the distinction of "Wireshark" separate from "FileShark" and not have an "OmniShark" that does both just because the underlying architecture is generic enough to support it. I'd prefer the geneic architecture (with some futher tweaking) just do "double duty" for separate applications.
I’m not sure I understand this comment. As far as I can tell, the patch doesn't make Wireshark open file types it doesn't have code to open properly - it doesn't, for example, bypass the checking a wiretap file reader already does today. It just lets the user say "open this file as format Foo"; but if Foo's reader doesn't think the file is a Foo type, it won't open it. (or so it appears to me skimming the patch) It's really just a way to skip past wiretap readers that might incorrectly think the file is of their type, and instead try the selected file type reader only. The selected file type reader still verifies it can open it.
So for Fileshark, for example it would let you say "I don’t care if you think this is a TIFF file; try to open it as a GIF instead", but if the file doesn’t start with "GIF87a" or "GIF89a", it won’t be opened.
-hadriel
