On Oct 12, 2009, at 1:30 PM, Németh Márton wrote:
as some wiki pages show ( http://wiki.wireshark.org/JPEG_JFIF and
http://wiki.wireshark.org/TCP_Reassembly at Chapter Example) Wireshark
understands the JPEG/JFIF file.
Is there any way to open a raw JPEG/JFIF file similar to how the MP3
files can be opened? I guess something has to be done for this at
the capture file formats. Where should I start?
The wiretap subdirectory; that's where the capture file format stuff
is done.
You would need to add a WTAP_ENCAP_JPEG_JFIF value to the list of
WTAP_ENCAP_ values in wtap.h, and add an entry to the
encap_table_base[] table in wtap.c.
As I remember, JPEG/JFIF files begin with a "magic number" signature,
which is good - it means Wiretap can look for that signature to
determine whether a file is a JPEG/JFIF file or not. You'd write a
jpeg_jfif.c file with routines to support opening and reading those
files; the open routine would look for the magic number and return 1
if the file is a JPEG/JFIF file, 0 if it's not, or -1 on an error.
You'd put an entry for that routine in the open_routines_base[] table
in file_access.c; it would be one of the files with "magic bytes in
fixed locations".
You'd then have the JPEG/JFIF dissector register itself in the
"wtap_encap" table with the WTAP_ENCAP_JPEG_JFIF value.
Note, however, that there's a limit of 64K on the size of a packet
that can be returned by Wiretap, so you'd either have to cut the file
data off at 64K, or supply each block as a separate "packet" and have
a JPEG/JFIF "file" dissector reassemble those, with the "file"
dissector registering with WTAP_ENCAP_JPEG_JFIF.
