Has any thought ever been given to giving Wireshark a scripting
engine? I'm not fussed what language, Python or similar would be
nice. This could make it much easier to do custom things with packets
or streams.
As I see it, Wireshark currently has some excellent features such as:
- fairly reliable stream reassembly
- excellent protocol decoding
- a command-line equivalent that has all the same features
- standard pcap filtering but also display filtering with access to
protocol fields
From a scripting engine, the following sorts of things would be
useful and allow Wireshark to undertake a whole variety of extra tasks:
- per packet or per stream inspection
- access to the raw packet data at a certain level (e.g.
Ethernet->IP->TCP->data) to save it/inspect it
- access to headers of certain protocols to rewrite them, e.g.
changing MAC addresses or vlan headers
- access to the decoded protocol fields, e.g. TCP->data->http.request.uri
Many of the current statistics scripts could be rewritten using it,
which might suffer a speed penalty but would allow a lot of
customisation.
There are plenty of tools to do some of these things but many of them
struggle with anything other than pcap (or can only capture from the
network), cannot handle frames with extra headers such as vlan, will
only process ethernet etc.
David
