[Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>]

One thing that comes to mind about how a FileShark GUI should be different from a WireShark GUI is the amount of data that should / can be shown.

In my job, I often analyze ELF files. Very big ELF files. One thing I'd like to do in FileShark is to read them, look at the various headers, but not have it show me all the data in each ELF section by default. Because, they are huge, and I don't need a hexdump of megabytes of data I don't care about.

maybe it's just a matter of not using the "data" dissector.... but then again, I wouldn't want the hexdump pane to have to show gigabytes of raw data.

I think that's a key difference; wireshark will show all data, because each packet is relatively small. But there can be megabytes of data in a file that could be to difficult to show as a single "packet"

Gilbert

On Thu, Jun 20, 2013 at 11:57 PM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:

Hi,

I think that presented idea is good news.

So question from my side:

1. Why separate application? ("Shared") Code maintenance should be easier in one application (no copy of any code). I guess there will be only some cosmetic changes in present file instead of protocol:

a) no Packet List (because it is one "Packet", let call it "Block")

b) "Packet" Details + "Packet" Bytes seems to be everything what we need at all

c) it is good to have: "Preview", but this may be hard. Preview PNG, BMP, GIF, JPG or MP3 is easy (and TXT)... but ODF, DOC, PDF may be hard [external library?using dlopen may be good way], and ELF, EXE preview is probably impossible (everything is possible, maybe someone want to add processor emulator :) [Joke: Than create WiresharkOS :)])

I guess Wireshark may change only part of it behaviour when opening file. Something like changing Preferences -> User Interface -> Layout -> Panes.

2. What will be different between show file by Wireshark and Fileshark (As I understand protocol dissector can call file dissector, so what I lose when I do that?)

3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark will be easy to firstly dissect it by file dissector and then call protocol dissector: in results everything is in place. In Fileshark we dissect, for example PCAP format, and see undecoded block?

4. What about streams? For example Android Binary (Logcat/Logger) logs come as never-ending stream. Also Linux Kernel Messages (aka /dev/kmsg) [note: I finish work in PCAP and Wireshark]. Where is right place for it? I guess in Wireshark because we can capture then in the same way like Bluetooth, USB, network packets. Probably only different is most "interfaces" like this will be unidirectional (for example: kernel message -> buffer, but not buffer -> kernel).

5. I guess Wireshark may need button(s) in Packet Details. First button may be "Decode file", second "Extract File". First button will be nice on Wireshark performance, because I do not think everyone want to dissect each MP3 in network stream...

6. Can we modify file in FileShark? I think "Packet Editor" do that now (ok, now it is broken, but normally it is work fine for me).

By the way, could anyone show me what Fileshark may have what Wireshark have not? (Which file format need something different in handling?)

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe