Wireshark · Wireshark-dev: Re: [Wireshark-dev] wireshark to sql

["Saeed Akhtar" <saeedakhtar.484@xxxxxxxxx>]

Hi

  Basically I'm doing my degree project to decode sctp protocol. so i'm not really concerned with the size of data right now.

On Sat, Jul 26, 2008 at 7:35 AM, Nathan Jennings <njen@xxxxxxxxxxxx> wrote:

On 7/25/2008 4:02 AM, Saeed Akhtar wrote:
> Is there any tool for offline scripting ........
>

You may want to have a look at CoMo:

http://como.sourceforge.net/

 From the "Publications" section:

http://como.sourceforge.net/pubs/fastproto.pam2006.pdf

I suppose it depends on your requirements and how much/little code you
want to write.

What application layer protocols are you interested in (i.e. decodes)?
Or is it just basic IP/TCP/UDP info enough? Are you firmly set on using
the decodes/logic (data) Wireshark supplies (if so, then you'd need to
write some code to extract that and then import it somehow (tshark -T
pdml?))?

It'd be interesting to hear your requirements/use case and your
estimated data set size.

FWIW, a while back I wrote a couple of "off-the-cuff" (quick and dirty)
scripts that did a simple nightly export from a firewall log that had
about 2GB of data. I then stripped it to just IP/port address pairs and
timestamps and maybe a small proprietary firewall tag (varchar) field or
two. The other script deleted any existing indexes and then did a bulk
data load into a PostgreSQL table and then re-created the indexes.

What surprised me was how slow this process was... with a 2-way Xeon 2.6
GHz box, SCSI disks and 2GB RAM (I wish I could remember some queries I
did and the load/import times, sorry). Depending on your queries and the
amount of data you actually load into the tables, and obviously your
hardware, you may be in for a rough/slow ride.

I don't intend to discourage you, just to pass along some very basic
info from an admittedly simple test/trial I did.

Like most things, it just depends on your requirements/data sets and
whether the performance/load is acceptable.

The paper I referenced above had some references to other projects that
you might find useful.

Hope this helps, -Nathan

> On Tue, Jul 22, 2008 at 7:03 PM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
> wrote:
>
>> Hi Saeed,
>>
>> This has been discussed before...
>> http://www.wireshark.org/lists/wireshark-dev/200708/msg00041.html
>>
>> You can search the wireshark mailing list archives to see if there are
>> more discussions.
>>
>> HTH
>> Abhik.
>>
>> On Tue, Jul 22, 2008 at 4:49 PM, Saeed Akhtar <saeedakhtar.484@xxxxxxxxx>
>> wrote:
>>> Hi,
>>>   I am trying to dump information retrieved from wireshark to sql. is
>> there
>>> any option in wireshark or is it already done by someone.
>>>
>>> _______________________________________________
>>> Wireshark-dev mailing list
>>> Wireshark-dev@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>>
>>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>
>
>

> ------------------------------------------------------------------------

>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev