4
2
I love how Wireshark breaks down every packet by protocol section, explaining what every single bit and byte is for. What I would also love is a program that does the same thing for regular files: showing a hex dump of each file and identifying headers, data sections, etc. and what they do. E.g. it would know the format of JPG, GIF, PNG, word docs, EXIF segments of photos, etc. Is there any such thing?
dirtside
Posted 2011-03-23T04:11:07.943
Reputation: 971
2
Well, files are actually identifiable by 'magic numbers' or specific file header sequences. In unix, there is a built in tool called file. Alternately there's a tool called trid that does the same thing.
There's an article on the forensics wiki that lists a fair number of other tools that you could use, if these fail.
Journeyman Geek
Posted 2011-03-23T04:11:07.943
Reputation: 119 122
1
No, but that sounds like an excellent open source project to start on.
The problem comes in that wireshark is able to do it because protocols don't change much (they can't; applications wouldn't be able to keep up and interoperability wouldn't happen). This isn't true of file formats, however, which have the annoying tendency to change more frequently.
You should check out the 'file' command (if you haven't yet) which identifies files quite well. Then you could pull in some programs like identify from the ImageMagick suite which could help you break down files.
But then you'll quickly realize that every single library must be pulled in because files are huge and complex and not simple to break down in the first place (unlike packets). That's the whole reason that applications are so large in the first place! To manipulate those nasty files!
Wes Hardaker
Posted 2011-03-23T04:11:07.943
Reputation: 1 796
1Yeah, I know about file ;-) You wouldn't need to pull in every library, just the one(s) needed for whatever the current format is. But point taken about the relative fungibility of file formats versus wire protocols. That's probably why the program I want doesn't exist yet. (I wasn't explicitly concerned with image formats, those were just examples.) – dirtside – 2011-03-23T06:05:34.947
0
In the Wireshark project, there has been thought given to creating a "fileshark" that would be the sort of program you're talking about; some payload dissectors, such as the JPEG and GIF dissectors, in Wireshark are file-format dissectors.
However, there are some issues that haven't yet been resolved; an early attempt at fileshark in the Wireshark code base was abandoned.
I know all about file, but what I'm looking for is something that actually lets me explore the data in the file, rather than just telling me what kind of file it is. – dirtside – 2011-03-23T06:04:02.373