Wireshark · Ethereal-dev: [ethereal-dev] integrating a system with ethereal

Ethereal-dev: [ethereal-dev] integrating a system with ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jim Yuill <jimyuill@xxxxxxxxx>

Date: Mon, 27 Sep 1999 14:19:05 -0400

Seeking advice on integrating a system with ethereal...

I'm building a packet-forwarding device, for a research project.  The
device will sit between some workstations and the network. It's job is to
just forward packets between the workstations and the network, and also log
the packets.  All the packets need to be logged, so I can't use a passive
sniffer, as it is subject to packet loss.

For the logging, I'd like to just write-out the packets in tcpdump's
format, so the log can be analyzed using ethereal.

Originially, I was going to modify libpcap to write-out the records, e.g.
use pcap_dump_open and pcap_dump.   As a novice sockets programmer, I'm
finding libpcap internals hard to work with.

I'm getting the packets via the "divert socket" function, which is just a
raw socket.  It looks like it'll be easier to just write the packet out
myself, using the pcap format (which is what tcpdump uses).  I'm hoping
then to look at the data via ethereal.

The pcap format itself is not documented, looks like I'll have to dig
through the code to figure it out.  It might be easier to figure it out via
ethereal's code.

Any advice on this most appreciated, especially how to dump the packets to
a file in tcpdump format.

Thanks,
Jim

#############################################################
Quotes of the Day:
The mantra of the "cult of measurement":
"When you can measure what you are speaking about and express it in 
numbers, you know something about it; but when you cannot express it in 
numbers, your knowledge is meager and unsatisfactory."  Lord Kelvin

Some refreshing dissension:
"Not everything that is counted counts, and not everything that counts can
be counted."  Albert Einstein

"The most important figures needed for management of any organisation 
are unknown and unknowable."  Dr. Deming

"...Mises... believed that economics was a science, not one to be studied 
with the methods of the physical science, but nonetheless a science, with 
axiomatic propositions, a formal structure, and universal applicability."
Austrian Economics Newsletter

#############################################################
Jim Yuill, graduate student
Computer Science Department,  North Carolina State University
919-515-9677 (w),  919-696-9523 (cell, incoming calls ok)  
home page:  http://www.pobox.com/~jimyuill

Follow-Ups:
- Re: [ethereal-dev] integrating a system with ethereal
  - From: Guy Harris

Prev by Date: Re: [ethereal-dev] Ethereal on SGI
Next by Date: Re: [ethereal-dev] integrating a system with ethereal
Previous by thread: [ethereal-dev] Writing pcap files ...
Next by thread: Re: [ethereal-dev] integrating a system with ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$