Re: PcapNG format support for dumpcap

[Roland Knall <rknall () gmail com>]

Thank you for your reply.

We have not been investigating far into dumpcap as of right now, so we just
assumed that the capture would be passed directly. But from what I am
reading, this sounds good enough for us.

I agree, that this is a non-trivial project, but we really would need
something like that, and we are actively looking into that. If and when we
are going to develop something like that has not been decided yet.

kind regards,
Roland

On Thu, Jul 16, 2015 at 9:20 PM, Guy Harris <guy () alum mit edu> wrote:

> On Jul 16, 2015, at 12:49 AM, Roland Knall <rknall () gmail com> wrote:
>
> > I've filed a bug report (
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370) for support in
> dumpcap and wireshark, to enable pcapng as a data format for capturing.
>
> By which you presumably mean "enable pcap-ng as a data format that dumpcap
> supports when capturing from a pipe", as dumpcap has been able to *write*
> pcap-ng dump files for several releases - and has even *defaulted* to
> pcap-ng for the past few releases.
>
> > We would need this for an extcap interface, where we would use the
> packet comments to add additional information to each packet, as otherwise
> we wold have to write text files during capture, and these files are not
> forwarded correctly if a customer sends in a trace. Also we have to handle
> to data formats for the utility as of right now, which seems a little bit
> bloated.
> > My question therefore is, is anyone working on that,
>
> Not that I know of.
>
> > or are there reasons why not?
>
> It's a non-trivial project, and you're the first one who needed it enough
> to start looking at it?
>
> > If noone is working on this, could one of the main developers offer a
> guess on where to change the interfaces for this?
>
> You'd need to:
>
>         change cap_pipe_open_live() to recognize both pcap and pcap-ng
> files;
>
>         either change cap_pipe_dispatch() to do different operations for
> pcap and pcap-ng files, or have two pipe dispatch routines, one for pcap
> files and one for pcap-ng files;
>
>         add new callback routines that, when given a pcap-ng packet,
> queues it or writes it, and use them when capturing from a pipe/socket that
> delivers pcap-ng files.
>
> > My guess so far after poking around in the code a little bit would be,
> that in dumpcap itself the change would not be that big, as it seems to
> pass through whatever it reads, after initially checking on the file
> format. The bigger changes have to be done on the other side of the capture
> pipe in the XXshark utilities.
>
> Umm, why would any changes be needed *at all* to them?
>
> Wireshark and TShark have been able to read pcap-ng files for several
> releases now, and, for the past few releases, it's let dumpcap write its
> default pcap-ng format and reads it quite happily.  They wouldn't even
> *know* that dumpcap was capturing from a pipe, much less that pcap-ng
> rather than pcap packets were being delivered on the pipe.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe