Wireshark mailing list archives
Re: Adding pcap-ng pipe support to dumpcap
From: Stephen Donnelly <Stephen.Donnelly () endace com>
Date: Wed, 30 Aug 2017 23:58:02 +0000
Richard Sharpe Sent: Saturday, 17 June 2017 5:28 AMOn Fri, Jun 16, 2017 at 9:36 AM, Kvidera, Evan D <EKvidera15 () winona edu> wrote: Hello Wireshark Devs, My name is Evan Kvidera and I am a senior undergraduate student studying Computer Science. I have a decent amount of programming experience, but only a little in C. My employer has asked me to try to add support for piping pcap-ng captures to Wireshark. I have read over the bug report requesting the feature, https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370. After reading the mailing list archives here, https://www.mail-archive.com/wireshark-dev () wireshark org/msg33336.html , it looks like this addition will be nontrivial, but doable, and that the changes necessary are all going to be in dumpcap. I have at least a month or two of full-time work I can dedicate to this if necessary, although I am hoping it will not take that long. I have read through the Wireshark Developer's Guide and looked over the style guide for Wireshark. Is there anything else I should know before starting development? I will try to develop this as independently as possible, but I may have a few questions along the way.Hi Evan, I looked at this back in 2012 and even proposed a patch that might be useful to you: http://seclists.org/wireshark/2012/May/25 No doubt it was a little too simplistic but if I find some time next week while I am in Seattle I might try to resurrect it and see if it works.
Why pcap-ng specifically? Although pcap-ng is higher featured than pcap, it is not Wireshark's internal representation. Pcap-ng is merely the default output format. Since Wireshark has the ability to detect and read multiple formats already in wiretap, why not leverage that? At the very least extcap tools should be able to supply data in any format understood by wiretap, but since the extcap data currently goes via dumpcap (maybe not sensible either?) they are restricted to pcap only and have to convert to that internally, potentially losing information. Wouldn’t it be better for the capture tool to indicate which of the wiretap formats it intends to use, rather than switching from one fixed format to a different fixed format? This would then support both pcap and pcap-ng intrinsically, as well as all other formats. Regards, Stephen ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Anders Broman (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Kvidera, Evan D (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 29)
- <Possible follow-ups>
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Jeff Morriss (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Anthony Coddington (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)