Geek Answers Handbook

Using libwireshark to programmatically obtain Wireshark functionality

If I want to write a script that uses Wireshark functionality, I use tshark. I heard that there is also libwireshark that you can use when writing a program in C, but, for the life of me, I can not find any documentation for this! I tried to isolate the library code in the wirehark source tree, but it seems the code is not very well organized and there is no such isolation (either this, or I could not find it).

I have two questions:

  • Do I believe that libwireshark can indeed be used to programmatically implement any functions that I can get from wirehark / tshark?
  • Can you point me to any documentation / tutorials / examples on this? Even a few simple examples can go a long way. Otherwise, can you point me to an explanation of how I can find my path in the wirehark source tree?
+9
wireshark
source share
4 answers

Not.

libwireshark is not intended to be used outside of Wireshark itself, and trying to do this will let you do it yourself , trying to figure out what is going wrong. libwireshark is actually part of the Wireshark package analysis part (called epan for E ) pa cket a alyzer) that you can see in the Developer's Guide is not all Wireshark. In fact, which libwireshark provides is the main interface for all of the built-in protocols, hooks for the plugin’s disconsorters, and the full package teardown API. It relies on the mechanism created by the rest of Wireshark for things that are not batch parallelization tools but allow dissectors to do their job (e.g., allocate freeing pieces of memory, process compressed or encrypted data, etc.).

Write a dissector instead.
If your project needs to strictly analyze network traffic in some way, perhaps you should consider writing a dissector for Wireshark rather than reinventing the many wheels that Wireshark could provide you with. If you need to do something more complex, for example, monitor network traffic and then run other tasks or send data yourself, you are probably better off using tshark and shell scripts, as you already have (remember that you should not allow tshark work for very long periods of time anyway).

If you really want to use libwireshark directly, you need to somehow resolve all its dependencies (preferably by making it a real stand-alone library) and consider the assumptions that it makes about Wireshark (or tshark) actually running. The code for libwireshark is well organized, it just consists of the entire epan directory under the Wireshark source tree and is laid out in accordance with the conventions that were established when Wireshark was still Ethereal. The documentation for each function is provided in the header files when it is publicly available, and more deeply in the source files in each case. Also keep in mind that README.developer , distributed with the source code version, you have a good place to get some tips (and you can also read all the README. * Files if you want to complete this task).

+7
source share

Of course, you can use libwireshark outside of Wireshark itself, since I know netexpect . You can try looking at this project website for information or asking to contact Ela Paris, the author of netexpect, for more help / pointers.

+3
source share

Yes! You can get this functionality using libwireshark. I wrote all the code to do the same. It just works great.

+2
source share

Even I wrote scripts for wirehark functions as part of my project to automate some things.

The best way is to use padhark addons, as shown below:

  • tshark add the pcap file using a filter, but if you find that there is no function, just edit tshark.c in the source code of the wires.
  • capinfos to provide details such as missing packages or file size, etc. (there is a script called capinfos in the wirehark source code, edit it if you want more features)

Note that add-ons work only on Linux, and capinfos is written to the shell script. Thus, you can use the same shell scripts and create new scripts to improve functionality.

Even I ran into a big problem because there is no proper documentation. But as soon as you start, it goes smoothly.

+1
source share

More articles:


All Articles