Wireshark-dev: Re: [Wireshark-dev] Wireshark Portable, running it from USB devices
From: "John T. Haller" <public@xxxxxxxxxxxxxx>
Date: Wed, 07 Mar 2007 20:57:14 -0500
Howdy Ulf,

In fact I'm using some PortableApps already, so yes, I know your page - very nice work!

Ah, nice :-)

I would personally welcome a "PortableWireshark" version, and would be willing to spend some effort for it (unfortunately, currently my time is pretty limited).

BTW: We will probably not drop U3 support, unless there's a very good reason for it :-) BTW(2): The main U3 advantage I still see is the way it's closing applications - which might be added easily to PortableApps as well.

If you mean the HostCleanup processes, be sure you're not doing anything
critical within them as they are not guaranteed to run.  Obviously, if
the PC crashes, they never run (which most people know) but if you turn
the PC off with the drive in, the U3 platform never shuts down.  So,
even if you closed Wireshark for U3 and then shut the PC off (or put it
to sleep), the HostCleanup will not be run.  It's best to have any
cleanup stuff run as the app closes as I do with all the portable apps
(and as I did with the U3 versions of them: Firefox, Thunderbird, etc).

There are the two tasks to make Wireshark a full "Portable App":


1)
make Wireshark itself "portable" - shouldn't be too difficult as Wireshark is cleanly programmed in this regard

The current U3 code leads to the places to look at. It's about finding some directories, e.g. where to find/save the users settings (usually at "c:\Documents and Settings\<username>\Application Data\Wireshark" or the corresponding international path). You might already have some solutions for this, as I guess this is a common problem for all portable apps.

I personally recommend a commandline option as this provides the most
flexibility.  That way the end user has complete control should they
want it.  Firefox, Thunderbird, etc all provide commandline switches for
this.  And, you could use this same commandline switch for your U3
package (no need to check for the environment variables = less code).

Some background info:
- the Wireshark installer is already NSIS based
- Wireshark itself won't write to the registry (the installer will only write to the registry for file extension association which can be easily ommited)
- WS should be able to run with "ordinary" user privileges

=> Making Wireshark a ProtableApp shouldn't be too difficult.

I figured as much from what I'd been checking out.

2)
make WinPcap "portable" - I don't know a good way for this (might become pretty difficult)

WinPcap is the driver to capture live network data (for Wireshark and a lot of similiar tools). It seems that WinPcap must be installed in c:\winnt\system32 to work properly - at least I don't know a better way than this :-(

Unfortunatly, while WinPcap itself is open source, the WinPcap installer is closed source, so there's no easy way to get an idea how to do it from sample code.

Now that is a tad odd. It is unfortunate, too, as that would completely preclude me from hosting it on SourceForge.

From what I've analyzed, it installs the following files:
%WINDIR%\system32\Packet.dll
%WINDIR%\system32\pthreadVC.dll
%WINDIR%\system32\WanPacket.dll
%WINDIR%\system32\wpcap.dll
%WINDIR%\system32\drivers\npf.sys

The Packet.dll and npf.sys files appear to vary depending on the OS (probably different ones for Windows 98, etc) as there are 3 variations of each in the installer. It does more than simple regsvr32 them as well, since it appears to need to hook it's network driver to each interface on the system. I can run a registry and file system comparison to get a rough idea of this.

This is how the U3 package handles this when the stick is plugged in:
- detect if WinPcap is already installed on the system
- if not, call the WinPcap setup.exe and install it on the system
- when the stick is going to be unplugged and WinPcap was installed by the U3 package, ask the user if he wants to uninstall WinPcap

=> This obviously isn't nice, but we don't know a better way. In addition, you'll need Administrative privileges to install/start/uninstall winPcap :-(

Even without the WinPCap installer, we'll need admin rights for this as it will require access to the drivers setup within Windows. There's no way around that unfortunately.

Wireshark will run without WinPcap, e.g to show previously captured data, but WinPcap is needed to capture any live network data.

Yeah, not anywhere near as useful.

So what I would like to know for a start:

- how to distinguish if WS is running as a PA(U3 uses an environment setting)? Or is this done through a command line switch or such?

Command line option is my recommendation. And I'd suggest using it for the portable and U3 version.

- we'll need an "Application Data/Wireshark" directory somewhere on the stick - is there a "portable app recommendation" for this?

The standard setup would be:

X:\PortableApps\
------\WiresharkPortable\  (this is where WiresharkPortable.exe lives)
------------\App\
------------------\wireshark\  (all Wireshark's binaries live here)
------------------\winpcap\  (winpcap installer, just to keep it neat)
------------\Data\  (this would contain any user settings files, etc)

Obviously, Wireshark Portable would only be concerned with its bits inside its own directories. that's one of the nice things about portable apps. And that WiresharkPortable.exe launcher would handle the whole:
1. Detect if WinPCap is installed, if not, install it
2. Run Wireshark and pass it the commandline switch... something like:
   wireshark.exe -datapath=X:\PortableApps\WireSharkPortable\Data
3. Stick around until Wireshark finishes
4. Uninstall WinPCap if we installed it on Wireshark exit

- where do we get one of those fancy splash screens for Wireshark from? Might be derived from the current splash screen picture ;-)

Oh, you'll get one of those, too :-) And you'll be able to edit/maintain the Wireshark Portable page on PortableApps.com if you'd like.

P.S.: Well, the page http://portableapps.com/development is a bit short ;-) If it would be more comprehensive, I might have started this task already a lot earlier ...

Yeah, I have work to do on that.

Ok, if you can get me a Wireshark build that accepts a commandline parameter pointing it to its data and let me know how you check for PCap being installed (is just checking for the DLL enough?) I can get you a test portable build... fancy splash screen and all. Oh, and I started checking out compression and I can get the Wireshark install from 68MB down to 22MB using UPX compress with specific settings on the DLLs and EXEs. I have a script that takes care of this I can give ya. I can package this all up in a PAF (it stands for PortableApps.com Format) so it can be installed by anyone by itself or auto-installed into the PortableApps.com Menu (it's under Options).

Best,
John