Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

New pseudo interface/capture device

From: "Carpenter, Brandon J" <brandon.carpenter () pnnl gov>
Date: Thu, 31 Jan 2013 11:53:53 -0800
I am looking to add to Wireshark the ability to do live capture from the Hone Linux sensor 
<https://github.com/HoneProject/Linux-Sensor><https://github.com/HoneProject/Linux-Sensor>.  Hone is a tool for 
correlating packets to processes and provides PCAP-NG data directly from a character device.  The additional PCAP-NG 
options and blocks provided by Hone are described on the GitHub wiki 
<https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format><https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format>,
 but aren't relevant to this discussion.

Currently, the character device has to be read from and copied to a file to view the output in Wireshark.  The easiest 
way to do this is with cat (i.e. `cat /dev/hone > hone.pcapng`), but that can result in a partial PCAP-NG block being 
written at the end of the capture as cat doesn't know about block boundaries.  The hone log daemon included with the 
sensor source, honelogd, communicates with the driver to ensure it finishes on a block boundary (i.e. `honelogd -f 
hone.pcapng`).  The resulting capture file can then be read by wireshark.

What is the best way to do live capture on a character special device which is already in PCAP-NG format?  I was 
originally considering modifying dumpcap, but after looking at the code some, I'm not sure that is the right approach.  
The character device needs to be opened and the output can be used directly, but will need to be copied to the temp 
file or ring buffer because the device doesn't support seeking.  When the capture is stopped, an ioctl needs to be 
issued to the character device to return zero from read() after the current packet is completely read.

Any help here is much appreciated.

Thanks,

Brandon
--
__________________________

Brandon Carpenter
Secure Cyber Systems, CSA
National Security Directorate
Pacific Northwest National Laboratory
www.pnnl.gov<http://www.pnnl.gov>
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: