This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Whether Wireshark will be more than protocol analyser?

1

Whether Wireshark will be more than protocol analyser? Currently it is, but is it official way? Wireshark can open files like MP3, JPG, GIF, PNG and XMLs. Could we treat Wireshark as "file format analyser"? Than can be added support to open text-file and binary files? Is it possible to send file format dissector? (for example ".tar", ".dll").

It will be nice to see that features.

asked 17 Apr '13, 04:50

Michal%20Labedzki's gravatar image

Michal Labedzki
31113
accept rate: 0%


2 Answers:

1

Wireshark is first and foremost a protocol analyzer. But its dissection engine architecture however is so flexible that one can envision it having a higher abstraction as 'record analyzer'. These records come in from a source, being a pipe from dumpcap, a (capture) file contents from wiretap or otherwise. That is where your experiments come into view. You open, through wiretap, files containing records, which the dissection engine happen to know how to handle.

It's very important to understand the distinction between file and record format. JPEG is the record format, while JFIF is the file format (even the Joint Picture Experts Group missed this and forgot to specify JFIF). Same goes for MP3.

TLDR; At best the dissection engine in Wireshark / Tshark is a record analyzer, where Wireshark / Tshark are tailored to network protocols. File formats are just containers for records, these won't be analyzed.

answered 17 Apr '13, 07:58

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Wireshark cannot open files like MP3, JPG etc, it can extract those file types from network packets contained in capture/trace files. The file formats Wireshark reads are listed here: http://wiki.wireshark.org/FileFormatReference

answered 17 Apr '13, 04:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 17 Apr '13, 04:57

Actually:

tshark -r 01\ Don\'t\ Know\ Why.mp3 
  1 0.000000000              ->              ID3v2 4352 
  2 0.000000000     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3
  3 0.026121600     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3
  4 0.052243200     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3
  5 0.078364800     320 kb/s -> 44,1 kHz     MPEG-1 1044 Audio Layer 3

[email protected]:~$ tshark -r /Applications/1Password.app/Contents/Import/images/ImportFirefoxPasswords.jpg 1 -> MIME_FILE 34863 2 -> MIME_FILE 0 [email protected]:~$

:-)

(17 Apr ‘13, 05:08) SYN-bit ♦♦

Okay, learning something new every day… but what is this good for? I guess it’s some sort of dissector test?

Anyway, lesson learned and documented at http://blog.packet-foo.com/2013/04/learning-something-new-every-day/ :-)

(17 Apr ‘13, 05:23) Jasper ♦♦