Wireshark-dev: Re: [Wireshark-dev] About "New Export Objects" --GSoC 2013

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 27 Apr 2013 23:27:55 -0700
On Apr 27, 2013, at 11:12 PM, "jin.huang" <54jin.huang@xxxxxxxxx> wrote:

> The wireshark export obects function can export png/jpeg/text... file from the http packet stream .But ,how do wireshark konw the exact file format from the frame data?

For HTTP:

	Part of the data in that frame or a previous frame is an HTTP response or request, which probably contains a Content-Type header.  The Content-Type header includes the media type of the body of the response or request, which indicates the data type of the object.  Wireshark might, however, only use that to determine whether the format should be thought of as text or binary data.

For SMB:

	Wireshark, as far as I know, just dumps out the raw bytes transferred by read and write requests.

For DICOM:

	I don't know whether the DICOM protocol specifies the types of the objects being transferred.  If not, Wireshark may just dump out the raw bytes.

Ultimately, however, what matters is only whether the data is text or not.  If it's text, then Wireshark should probably converting the line endings to the line endings appropriate for the OS on which it's running (CR-LF for Windows, LF for all flavors of UN*X).  If it's binary, it should just dump out the raw bytes of the file.  That might be all that Wireshark does, if it even handles text specially.  Files on both UN*X and Windows are just seekable byte streams, without a file format indicator, so Wireshark doesn't need to know the file format - all it could do with the file format is choose a default file extension.

For FTP, you could determine whether the file is text or binary only by seeing enough of the FTP session to see a TYPE command issued.