Wireshark-dev: [Wireshark-dev] Extending Wireshark libpcap format support, or start using pcapn
Hi List!
I have demand for storing some meta information into the capture file and later display it in Wireshark. This information is available in a separate capture tool and currently cannot be transferred to Wireshark to be displayed :-(
This would range from generic information like "which Ethernet interface was used to capture" (especially interesting when capturing simultaneusly from more than one Ethernet interface) to application domain specific stuff that won't be of general interest (at least as I would guess).
AFAIR, I'm not the only one with such a demand, so I would like to have a generic solution here.
I see two possible ways to achieve this:
a) extend libpcap format by using a new DLT_ value and putting the meta info somehow into it (e.g. by putting some TLV information between the frame and the Ethernet part of a packet). However, this would be "another hack" and not a good generic solution IMO.
b) bringing pcapng http://www.winpcap.org/ntar/default.htm to life. I guess that this would solve the problems mentioned above, but I have no clue about the current state of the project. Looking at the webpage, it seems that development stalled in 2004/2005 - so I don't know how much work it would be to include pcapng into Wireshark and what's left to do in pcapng in this regard.
As I would prefer b) - only the time is the limit, I need a solution till around the end of October. My feeling is that b) is not in the state of going "prime time" so I'll stuck with a) for the time being ...
Someone with further information - or even someone working already on this topic?
Regards, ULFL
______________________________________________________________________
XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!
Jetzt testen! http://produkte.web.de/club/?mc=021130