Wireshark-dev: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
Thank you for your answers. For now I will start to use the PDML file.
Later on I will try to do it using the Wireshark API.
On Tue, Mar 10, 2009 at 01:27, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Mar 9, 2009, at 5:27 PM, Richard Sharpe wrote:
>
>> At each layer it extracts the fields it needs and puts them into the
>> protocol tree or the columns, however, there is no library that allows
>> you to parse a packet and then say:
>>
>> give me the value of the field tcp.flags or smb.fid or so forth
>>
>> Ethereal is not organized that way.
>
> Well, not *entirely* true, but it's not as if there's some library
> that lets you do that *conveniently*.
>
> In reasonably recent versions of Ethereal - and thus in all versions
> of Wireshark, as the "epan" library was created before the program was
> renamed from Ethereal to Wireshark - the library (called "libethereal"
> in Ethereal, and "libwireshark" in Wireshark) has routines:
>
> epan_init() - initializes the library;
>
> epan_dissect_new() - allocates an epan_dissect_t structure to hold
> the context of a dissection, and returns a pointer to it;
>
> epan_dissect_prime_dfilter() - tells the library which fields you'll
> need to look at (although the API is *really* oriented towards
> "display filters" so you can't just do it by giving it the names of
> the fields);
>
> epan_dissect_run() - hand it an epan_dissect_t, the pseudo-header for
> the packet as returned by *another* Wireshark library (libwiretap),
> the raw packet data for the packet (as returned by libwiretap), and
> some other information;
>
> epan_dissect_free() - releases the epan_dissect_t when you're done
> with the dissection and have extracted the information you want from
> the result.
>
> The values of the fields can be found by looking in the protocol tree
> pointed to by the "tree" member of the epan_dissect_t; you'd have to
> walk through the tree looking for instances of the fields.
>
> As one can tell from the number of places where I just waved my hands
> rather than giving details, this is rather complicated. The library
> was *not* designed to be used by arbitrary applications, so the API is
> somewhat oriented towards its use in Wireshark and TShark.
>
> And, just to add to the complication, I didn't mention that Wireshark
> dissector maintain state between packets, which they might require in
> order to properly dissect packets, so somebody would want to use
> libwiretap to read an entire capture file, calling epan_dissect_new()/
> epan_dissect_prime_dfilter()/epan_dissect_run()/epan_dissect_free() on
> each of the packets.
>
> So I'm not sure it's possible to have a "simple" program that uses
> it. It might be easier to have TShark read the capture file and
> produce a version of the protocol tree as PDML, and have the program
> read the PDML file, as Stephen Donnelly suggested.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/