Workbench 0.18 User Guide

Overview

Transformers

A transformer reads data in one format and outputs it in another.  A transformer is defined with an input and output format based on file extension, and several can be chained together to achieve the required transformation.

Diagram of a transformer chain

The diagram above shows how a netsh trace command (with a file extension of .etl) is transformed once into a Wireshark PCAP-NG by a transformer called Babel, and then transformed again by Tshark into a CSV.  This is called a transformation path.  A transformation path can have one or more steps.

When an analyst drags a tool over a data object, Workbench performs a sequence of checks:

  • Does the tool support the file format of the data object?  If so, dropping the tool on the object opens the file in the tool.
  • Is there a suitable transformation path to convert the data object native format to a format supported by the tool?  If so, dropping the tool on the object causes Workbench to run the transformation steps to convert the file into a supported format.  Workbench then launches the tool which opens the converted file.
  • If the file format is not supported and there is no suitable transformation path, hovering a tool over the object will cause it to be outlined in red.

Screenshot showing icon outlined in red

These checks and transformations are seamless; the analyst can view progress through messages shown in the Console window but, otherwise, need not worry about the steps involved in transformations.

Depending on the size and complexity of a transformation, the analyst may see a short delay when opening a transformed data object.  To improve performance, Workbench caches transformed files in a directory within the workspace.  When a user subsequently drops a tool on a non-native file, Workbench first checks the cache for a suitable transformed file before running a transformation.

Therefore, a data object may have many formats; hence the term Multi-format Object.