Re: wireshark extension for a Kernel Module (like Usbmon)

[Guy Harris <gharris () sonic net>]

On Mar 6, 2022, at 3:52 PM, Christian <chris () argonautx net> wrote:

> Hello out there, I created a kernel probe module and I want to watch the
> outputs of this module with pcap/Wireshark. Just like usbmon. So I
> defined a char device in the dev-directory /dev/kpnode from which the
> pcap interface can read the output of that module. In order to enable
> Wireshark to read from this device, I started to place a handler
> function into libpcap:
> In pcap.c I put in
> #ifdef PCAP_SUPPORT_KPNODE
> #include "pcap-kpnode.h"
> #endif
> and later:
> #ifdef PCAP_SUPPORT_KPNODE
>       { kpnode_findalldevs, kpnode_create },
> #endif
> further down:
> #ifdef PCAP_SUPPORT_KPNODE
>           || strstr(device, "kpnode") != NULL
> #endif
>
> The functions kpnode_findalldevs and kpnode_create are in my files
> pcap-kpnode.c and pcap-kpnode.h. They are not finished yet but the
> subject of this mail is for now, how to connect these functions into
> libpcap and Wireshark so that they are evoked if a device /dev/kpnode
> emerges.

You do it in libpcap.

Then:

        if you have a version of Wireshark that's linked with your version of libpcap;

        and if kpnode_findalldevs() works, so that its devices show up in Wireshark when it calls pcap_findalldevs();

        and if kpnode_create() works, so that it can be opened in Wireshark when it calls pcap_create() on a kpnode 
device and it can be activated with pcap_activate();

        and if dumpcap - which is the program in Wireshark that calls pcap_findalldevs(), pcap_create(), and 
pcap_activate() - in that version of Wireshark is set up to run with sufficient privileges to open kpnode devices (that 
may require that it be set-UID to root, or it may not);

        and if those devices either use an existing LINKTYPE_/DLT_ value that Wireshark can dissect, or it uses a 
LINKTYPE_USERn/DLT_USERn value and you've written a dissector for that type and either built it into Wireshark or built 
it into a plugin for Wireshark and set it up for the USERn value in question;

then it should Just Work in Wireshark.

The bulk of this is a libpcap question, and should be asked on tcpdump-workers () lists tcpdump org.

The part that's relevant to Wireshark would be:

"How do I build a version of Wireshark that's linked with my version of libpcap?"  The answer is "install it on your 
system, complete with headers - the library and headers will, by default, be under /usr/local - and then configure 
Wireshark from scratch; the CMake configuration for Wireshark should find the /usr/local version and use your libpcap."

"How do I write a dissector for my new link-layer type (assuming that you can't just use an existing LINKTYPE_/DLT_ 
value)?"  The answer is more complicated.

The rest of your question amounts to

> What did I miss to integrate my handlers into pcap library?

which is a libpcap question and should be asked on tcpdump-workers () lists tcpdump org.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe