Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Problem writing a file dissector for vwr capture files

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Hadriel Kaplan <the.real.hadriel@xxxxxxxxx>
Date: Sun, 30 Aug 2015 09:39:15 -0400
When you say "properly", you mean like so it can be submitted into
master? I think the *right* thing is a much bigger change, and
involves creating wiretype subtypes for each file-format reader type.
But in the meantime you could wrap all your code in #ifdef so it's not
normally compiled in, but when it is compiled in it's the last magic
value and always succeeds.

I believe (or at least hope) that the way the MIME files thing works
right now is only a temporary hack. Ultimately we're not really
opening a file as a MIME container, shouldn't be seeing the file's
records inside of one big "MIME" frame but instead as independent
frames, and shouldn't need magic values to match up at all. I should
be able to tell wireshark to display a file in Format X, and it should
do it or die trying. :)

-hadriel


On Sun, Aug 30, 2015 at 8:41 AM, Joerg Mayer <jmayer@xxxxxxxxx> wrote:
> On Sun, Aug 30, 2015 at 07:53:09AM -0400, Hadriel Kaplan wrote:
>> Did you add the magic info into the magic_files array in
>> wiretap/mime_file.c?  It looks like it's necessary.
>
> Ah, that was the part I was missing. Thanks!
> Of course now that I did look at it, it doesn't help me because the file format
> doesn't really have a magic value. So how do I go about it properly?
>
> Thanks
>    Jörg
>
>> On Sun, Aug 30, 2015 at 4:22 AM, Joerg Mayer <jmayer@xxxxxxxxx> wrote:
>> > I'm trying to write a file dissector for the IxVeriWave (.vwr) capture files
>> > (without loosing the ability to open said capture files normally of course)
>> > and am failing:
>> > Running  "tshark -X 'read_format:MIME Files Format' -V -r testfile.vwr" (or
>> > the equivalent steps in wireshark) results in
>> > tshark: The file "testfile.vwr" isn't a capture file in a format TShark understands.
>> > Trying to just take over the complete capture file was also unsuccessful.
>> > I've attached the current source of the dissector. Simple question: What am
>> > I missing ;-)
>> > In case you want to test, use the capture attached to bug 11464.
>
> --
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube