Wireshark · Ethereal-dev: Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)

Ethereal-dev: Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>

Date: Wed, 07 Jan 2004 19:59:39 -0000

On Mon, 2004-01-05 at 18:23, Olivier Biot wrote:

> >
> > So, do you have any plans on adding wiretap support to detect GIF and
> > JPEG? You could use Ethereal to open a GIF or JPEG file, wiretap detects
> > it,  a new protocol "File" is used, instead of "Frame", to show
> > filesystem fields (size, mtime, atime, ctime, filename), and then the
> > appropriate dissector is called.
> 
> I never thought about this, although I have written GIF and JFIF processing
> tools that run from the command-line in the past (2 years ago I think). If I
> understand wiretap correctly, I need to register a WTAP_* type for GIF,
> another for JFIF etc. I can assign the magic US-ASCII strings "GIF87a" and
> "GIF89a" to the WTAP_FILE_IMAGE_GIF, and the sequence { 0xFF, 0xD8, 0xFF,
> 0xE0, 0x**, 0x**, "JFIF" 0x00 } to the WTAP_FILE_IMAGE_JFIF.
> 
> Or do I provide a WTAP_FILE_SUPPORTED_MEDIA where I register all supported
> media, and based on the heuristic, hand it over to the appropriate
> dissector? How about OS and filesystem robustness (e.g., MacOS used to have
> an own file format)?
> 
> Any comments are welcome!
> 

I'd add a single new file to wiretap, and have it detect the various
file formats (GIF, JPEG, etc.). Each file format would have a distinct
WTAP_ENCAP type.

Alternatively, make a single WTAP_ENCAP type that means "non-packet
data": WTAP_ENCAP_NON_PACKET. The have another value, somewhere, that
identifies the file type.

Inside dissect_packet(), instead of calling calling the 'frame'
dissector, a new dissector called 'file' would be called. Whereas
'frame' shows meta-data about the frame (size, capture time, etc), the
'file' protocol shows meta-data about the file (filename, size, mtime,
etc.). The JFIF and GIF dissectors are registered to either wtap_encap
or something new (wtap_non_packet_file) just like the layer-2 dissectors
are registered to "wtap_encap". So the JFIF and GIF dissectors will be
called via dissector_try_port() just like the layer-2 dissectors are
thus called in packet-frame.c

--gilbert

Follow-Ups:
- Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)
  - From: Guy Harris

References:
- [Ethereal-dev] New dissector: JPEG File Interchange Format (JFIF)
  - From: Olivier Biot
- Re: [Ethereal-dev] New dissector: JPEG File Interchange Format (JFIF)
  - From: Gilbert Ramirez
- Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)
  - From: Olivier Biot

Prev by Date: Re: [Ethereal-dev] Bug in Save Highlighted Data?
Next by Date: Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)
Previous by thread: Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)
Next by thread: Re: [Ethereal-dev] New dissector: JPEG File Interchange Format(JFIF)
Index(es):
- Date
- Thread