Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PcapNG format support for dumpcap

From: Guy Harris <guy () alum mit edu>
Date: Thu, 16 Jul 2015 12:20:54 -0700

On Jul 16, 2015, at 12:49 AM, Roland Knall <rknall () gmail com> wrote:


I've filed a bug report (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370) for support in dumpcap and 
wireshark, to enable pcapng as a data format for capturing.


By which you presumably mean "enable pcap-ng as a data format that dumpcap supports when capturing from a pipe", as 
dumpcap has been able to *write* pcap-ng dump files for several releases - and has even *defaulted* to pcap-ng for the 
past few releases.


We would need this for an extcap interface, where we would use the packet comments to add additional information to 
each packet, as otherwise we wold have to write text files during capture, and these files are not forwarded 
correctly if a customer sends in a trace. Also we have to handle to data formats for the utility as of right now, 
which seems a little bit bloated.

My question therefore is, is anyone working on that,


Not that I know of.


or are there reasons why not?


It's a non-trivial project, and you're the first one who needed it enough to start looking at it?


If noone is working on this, could one of the main developers offer a guess on where to change the interfaces for 
this?


You'd need to:

        change cap_pipe_open_live() to recognize both pcap and pcap-ng files;

        either change cap_pipe_dispatch() to do different operations for pcap and pcap-ng files, or have two pipe 
dispatch routines, one for pcap files and one for pcap-ng files;

        add new callback routines that, when given a pcap-ng packet, queues it or writes it, and use them when 
capturing from a pipe/socket that delivers pcap-ng files.


My guess so far after poking around in the code a little bit would be, that in dumpcap itself the change would not be 
that big, as it seems to pass through whatever it reads, after initially checking on the file format. The bigger 
changes have to be done on the other side of the capture pipe in the XXshark utilities.


Umm, why would any changes be needed *at all* to them?

Wireshark and TShark have been able to read pcap-ng files for several releases now, and, for the past few releases, 
it's let dumpcap write its default pcap-ng format and reads it quite happily.  They wouldn't even *know* that dumpcap 
was capturing from a pipe, much less that pcap-ng rather than pcap packets were being delivered on the pipe.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: