How does Netwitness parse and set "filetype"? From what I've read, parsers can act on the whole payload, rather than iterating on each "attachment".
For various protocols (e.g., HTTP, FTP, SMTP, ...), whole files can be transmitted and are encapsulated by the protocol.
I'd like to be able to create meta data for encrypted RAR files (these can be determined by a header and flag at specific offsets in the file).
Is there a way to write a parser that can look at each "attachment" (protocol independent) to be able to set this meta data?