Wireshark-dev: Re: [Wireshark-dev] Fileshark (AKA Dissecting Files with Wireshark)
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 21 Jun 2013 10:56:22 -0700
On Jun 20, 2013, at 11:57 PM, Michal Labedzki <michal.labedzki@xxxxxxxxx> wrote:

> 3. What about files like *.pcap, *.pcapng, btsnoop, etc.? In Wireshark will be easy to firstly dissect it by file dissector

Possibly, possibly not.  If a file dissector can do *everything* that a libwiretap module can (including supporting random access), and not show the user the details of how packets happen to be represented in this particular file format (which isn't interesting to somebody looking at network traffic), then yes, otherwise no.
 
> and then call protocol dissector: in results everything is in place. In Fileshark we dissect, for example PCAP format, and see undecoded block?

Yes.

In Wireshark, you would see packets and possibly other records as items in the list.  You would *not* see, for example, any file header the file has or the underlying layout of the record headers; you'd only see the relevant data items from the header, and the record data, in a file-format-independent fashion.  Some records might be read by Wireshark but not displayed in the packet list.

In Fileshark, you would see the file header as one item, and each record as an item, showing all the record details as fields.  All records would be shown.

Whether, in Fileshark, the contents of packet records should be dissected as packets is a good point for discussion.

> 4. What about streams? For example Android Binary (Logcat/Logger) logs come as never-ending stream. Also Linux Kernel Messages (aka /dev/kmsg) [note: I finish work in PCAP and Wireshark]. Where is right place for it? I guess in Wireshark because we can capture then in the same way like Bluetooth, USB, network packets.

Yes.