Hello developers,
I'd like to explain a project I have been thinking about doing for a
while, but of course it could also be done as a Google project (I could
also mentor it). Let me first explain the situation at my work:
We often have to debug network issues and have to follow
packets/connections as they progress through the network. So we often
create multiple capture files at multiple devices while running a test.
To see how the packets are traversing the network we would then like to
follow the packets through the multiple capture files. We open multiple
instances of Wireshark, load the capture files and then try to add
filters to find the packets we're interested in.
The idea is that I can 1) remote control a Wireshark from another
process to jump to a specific frame/packet, 2) lookup packets
intelligently. I'll explain the two features some more.
1) I'd like to remote control a Wireshark process and for a start
initiate a "goto frame". I don't expect the Wireshark processes to be
all on the same computer, either because my capture file is large and I
need more than one computer to load them, or because I'd like to discuss
a capture file with a friend over the phone, each looking at this local
Wireshark. Thus a remote control via network. Now I do expect for a
first iteration that all those Wireshark hosts are on the same LAN, so I
would like to use UDP multicast to send those remote control messages.
With a preference setting a user can enable the feature and join a
multicast group. This makes it also independent of the operating system
Wireshark is running on, I could mix and match different combinations.
For a first iteration security would not be mandatory, but the remote
control protocol should have a provision to add it later.
The idea is, two Wireshark processes load the same capture file, one
they exchange some basic information on the current view. For a start I
would like to see a "goto frame" command and a "apply filter" command.
2) Now that I can remote control two Wireshark processes, I'd like to
extent that feature for an intelligent matching of network packets, if I
load two different capture files. The idea is, that for certain parts of
the protocols we calculate a hash sum and store the hash sum with the
frame number in a global map. Then I would send a "goto hash" command
and the remote Wireshark would check if its hash map contains the same
hash to goto the corresponding frame.
Each network packet can create multiple hashes, for example
- TCP payload
- IP src/dst address+TCP src/dst port (same for UDP)
- ethernet src/dst address + payload length
- specific protocol dissectors can create their own hashes, for example
DCE/RPC dissector can use protocol type (UUID) + Call ID; HTTP dissector
could use header key/value pairs, etc.
Via a context menu on the packet I can select which of these hashes to
use for the remote control command.
--
---> Dirk Jagdmann ^ doj / cubic
----> http://cubic.org/~doj
-----> http://llg.cubic.org
