Re: [Wireshark-dev] --with-ssl action when gnutls is not found
Guy Harris wrote: At least one of the reasons why we might need -lcrypto is that we use NetSNMP to get information about particular SNMP variable bindings. So why not use libsmi instead? It has no reliance on any external libraries. The only disadvantage is that it is more picky than NetSNMP, so it needs better quality MIB files. -- There's no point in being grown up if you can't be childish sometimes. -- Dr. Who ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] TCP Reassembly issues
On 7/10/07, Graham Bloice [EMAIL PROTECTED] wrote: DNP application message fragments are carried in a transport layer which has a single byte header containing a 6 bit sequence number (tr_seq, 0-63) and two flags, first (tr_fir) and final (tr_fin). A single fragment message will have both flags set. The sequence number does not necessarily reset to 0 at the start of a sequence of fragments, it just runs sequentially from the fragment where the first bit is set. Because the protocol sequence number is repeated between hosts, I needed to invent a unique one to link related application message fragments together, hence the static seq_number. The aim of this is to allow many conversations between hosts that are individually identifiable, but reuse the protocol sequence number. If I understand correctly, you are saying that I should only increment this and add fragments when first finding a fragment, i.e. the flag.visited is false. Maybe packet-nbd.c is useful. NBD clients often reuse the transaction ID once a previous transaction has completed making tracking more difficult. NBD has a structure attached to each conversation, this structure contains two hashtables, one for unacked packets which is populated on initial scan and a second hashtable which is used later. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] wireshark dissector and GPL
Hi, In case I write a wireshark dissector for a protocol I have developed and then attempt to sell the dissector, am I required to share the code of the dissector with the General Public under GPL? Thanks, --MK Missed the show? Watch videos of the Live Earth Concert on MSN. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] how to disable dissectors when I build TShark ?
On 7/5/07, Shehjar Tikoo [EMAIL PROTECTED] wrote: Jean-Grégoire Foulon wrote: I just managed to have a lib 50% smaller by removing some protocols. I will try to post a diff file here (or somewhere else) when I have a satisfying result. I think it can be useful for people trying to get a lightweight version but I don't think I will have time to do something clean and generic enough to be integrated into the repository. To make this info more accessible, is it possible to put up a wiki page about this? Preferably on wiki.wireshark.org? Shehjar I just posted the patch on the wiki : http://wiki.wireshark.org/BuildingAndInstalling. It is a patch for the 0.99.5 version. I will try to adapt it for the 0.99.6and write more detailed instructions later. Jean-Gregoire ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] size of wireshark installation files
HOW TO REMOVE DISSECTORS First, modify some files so the unwanted dissectors won't be compiled anymore: Makefile.in http://Makefile.in epan/Makefile.in epan/dissectors/Makefile.in You must choose the unwanted dissectors so that they were no dependencies problems. The dissectors you leave must not depend on the dissector you remove. In some cases, you will have to modify the source files to get rid of dependencies. For example, the telnet dissector depends on kerberos, it was patched so we could remove the kerberos dissector and keep the telnet one. tshark-tap-register.c and epan/dissectors/register.c are generated by Makefiles by parsing source files and adding specific functions they find in those files. They must be deleted to be regenerated with the correct list of functions. Before calling 'make' to build them, you have to remove the unused sourcefiles from their original directory otherwise tshark-tap-register.c and epan/dissectors/register.c will still have references to functions which won't be compiled. Once everything compiles, try to run Tshark. If you are lucky it will just work out of the box, but it's more likely Tshark will print Aborted and exit. It is an assert message which is printed when a dissector can't be added dynamically with the function dissector_add(). It means you have to patch some dissectors to remove dynamic dependencies. All the dissector_add() calls that create problems must be commented. Be careful not to remove important ones. To know in which file the problem lays, use gdb and its backtrace command: gdb tshark run backtrace q It Will give you the file and the line that cause the assert to fail. Once you removed all the calls that make asserts fail, Tshark should run properly. Sounds a possible way to do it. :) One thing that could help reduce further the size of tshark is to statically link libwireshark to tshark and to strip unused object code. Regards, Sebastien Tandel ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] wireshark dissector and GPL
Hi, Something similar was discussed in this thread: http://www.wireshark.org/lists/wireshark-dev/200701/msg00708.html The short answer is 'yes'. Best regards, Abhik. On 7/10/07, MKS {} [EMAIL PROTECTED] wrote: Hi, In case I write a wireshark dissector for a protocol I have developed and then attempt to sell the dissector, am I required to share the code of the dissector with the General Public under GPL? Thanks, --MK Missed the show? Watch videos of the Live Earth Concert on MSN. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] filters diameter
hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
That expression will match any frame that has at least one avp with code value 829 and at least one avp whose data is uint32 whose value is 1. I suspect that what you want is to match the *same* AVP with both parts of the expression, which I don't think is possible with a simple display filter. Martin On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
There are several ways this could be tackled: (1) A script. Export capture to PDML, parse output and match/check them yourself (2) We could add a new filterable field, diameter.avp, whose type was hex data. You could right-click to create a filter for that AVP, then edit the last word to check for the value you want (you could sort of do this now, but it would only filter at a fixed position within the message) (3) The diameter dissector could be changed to generate filterable fields for each AVP. Then you could filter on e.g. diameter.avp.Role-of-Node.value == 1 I could do (2), but I'm not volunteering for (3). Martin On 7/10/07, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] size of wireshark installation files
Hi, Should we make dissector_add() and friends fail silently when the referenced dissector is not available? Currently the g_assert() is killing, while a return would suffice. This becomes more relevant since we can delete a dissector on the fly, so we may run into this assert while not expected. By the way Jean-Grégoire, could you clean up the patch on the Wiki a bit? There seems to be residual development stuff in there, which may cause conflicts. Thanx, Jaap Jean-Grégoire Foulon wrote: On 7/9/07, *Guy Harris* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Cruz, Petagay wrote: hi, how can I reduce the size of the wireshark library produced in 'make install'? I built without plugins. what is using all the space? Well, for starters, all the dissectors - plugins *aren't* part of the library, they're loaded at run time, but almost all the disssectors in Wireshark are built in, so they're part of the library. There's currently no easy way to select a subset of dissectors to include. The rest of it is the Wireshark core to support dissection, taps, etc.; that can't be removed. Hi, I just finished to write a patch for Tshark to disable a lot of dissectors and make it smaller. It is on the wiki : http://wiki.wireshark.org/BuildingAndInstalling The choice of the removed dissectors is arbitrary, it suits my own use ans only works for Tshark, but it can be a good start if you want to get a smaller version of Wireshark. Here is an extract of the readme, correct me if I did any mistakes HOW TO REMOVE DISSECTORS First, modify some files so the unwanted dissectors won't be compiled anymore: Makefile.in http://Makefile.in epan/Makefile.in epan/dissectors/Makefile.in You must choose the unwanted dissectors so that they were no dependencies problems. The dissectors you leave must not depend on the dissector you remove. In some cases, you will have to modify the source files to get rid of dependencies. For example, the telnet dissector depends on kerberos, it was patched so we could remove the kerberos dissector and keep the telnet one. tshark-tap-register.c and epan/dissectors/register.c are generated by Makefiles by parsing source files and adding specific functions they find in those files. They must be deleted to be regenerated with the correct list of functions. Before calling 'make' to build them, you have to remove the unused sourcefiles from their original directory otherwise tshark-tap-register.c and epan/dissectors/register.c will still have references to functions which won't be compiled. Once everything compiles, try to run Tshark. If you are lucky it will just work out of the box, but it's more likely Tshark will print Aborted and exit. It is an assert message which is printed when a dissector can't be added dynamically with the function dissector_add(). It means you have to patch some dissectors to remove dynamic dependencies. All the dissector_add() calls that create problems must be commented. Be careful not to remove important ones. To know in which file the problem lays, use gdb and its backtrace command: gdb tshark run backtrace q It Will give you the file and the line that cause the assert to fail. Once you removed all the calls that make asserts fail, Tshark should run properly. Regards, Jean-Gregoire ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] New WiMAX R6 plug-in
Hi, First thing to so it testdrive it using fuzztest. Have a collection of capture files ready which fuzztest will feed to your Wireshark+plugin. That way you may find bugs not found during code review. Then make sure all support files are in as stated in README.plugin. Then 'make clean' the plugin directory and gzip it, after which you can attach it to a mail to the developer mailing list. When time permits we'll go over it and consider it for inclusion. In the mean time a Wiki page would be nice, and most importantly, a sample capture file. Thanx, Jaap Nitin Naveen wrote: Hi, I am Nitin Naveen working at HUGHES SYSTIQUE. We have developed a plug-in to display WiMAX R6 messages (between BTS and ASNGW). This plug-in is NOT for the AIR interface. It is for WiMAX signalling messages carried over Ethernet/ IP/ UDP. We have followed most of the guidelines as per README.developer. It would be great if it can be included with the normal Wireshark distribution. Please let us know what are the various steps that we need to follow. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
OK, I just implemented (2) with change 22284. You should be able to right-click on a whole AVP that matches the code you're interested in, choose 'Prepare as Filter | Selected', edit the last 4 bytes and apply it. Martin On 7/10/07, Martin Mathieson [EMAIL PROTECTED] wrote: There are several ways this could be tackled: (1) A script. Export capture to PDML, parse output and match/check them yourself (2) We could add a new filterable field, diameter.avp, whose type was hex data. You could right-click to create a filter for that AVP, then edit the last word to check for the value you want (you could sort of do this now, but it would only filter at a fixed position within the message) (3) The diameter dissector could be changed to generate filterable fields for each AVP. Then you could filter on e.g. diameter.avp.Role-of-Node.value == 1 I could do (2), but I'm not volunteering for (3). Martin On 7/10/07, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
A year or more ago I abandoned a way towards (3) (similar to what I did for radius dictionary) a while ago, due to a personal lack of diameter use after switching jobs and a stall about how to handle recursion in attribute_groups. I will be able to get back into it in September (I'll be off-contract and unable to move from Rome). Please remind me then or as an alternative I could send the work-in-progress for someone else to deal with it. BTW In an early MATE prototype (befor having it defining fields for every user defined element) I used string fields like mate.pdu_avp == avp_name=string_repr_of_value, those allow to actually filter. I thought about this quick and dirty solution for radius before writing its dictionary support. On 7/10/07, Martin Mathieson [EMAIL PROTECTED] wrote: OK, I just implemented (2) with change 22284. You should be able to right-click on a whole AVP that matches the code you're interested in, choose 'Prepare as Filter | Selected', edit the last 4 bytes and apply it. Martin On 7/10/07, Martin Mathieson [EMAIL PROTECTED] wrote: There are several ways this could be tackled: (1) A script. Export capture to PDML, parse output and match/check them yourself (2) We could add a new filterable field, diameter.avp, whose type was hex data. You could right-click to create a filter for that AVP, then edit the last word to check for the value you want (you could sort of do this now, but it would only filter at a fixed position within the message) (3) The diameter dissector could be changed to generate filterable fields for each AVP. Then you could filter on e.g. diameter.avp.Role-of-Node.value == 1 I could do (2), but I'm not volunteering for (3). Martin On 7/10/07, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] capturing data from a propietary device
[EMAIL PROTECTED] schrieb: I'm trying to figure out how to format (or where to place the data) in the pcap buffer when capturing my WAN protocols. I've built a system that will capture the data and feed it via pcap to wireshark, and I've got it working for Ethernet data and for frame relay data, but I'm having trouble dealing with getting the proprietary data into wireshark intact so that I can later write a disector. (I'm going to test everything out before submitting my requests for a set of DLT_ mumbers for these protocols. In the mean time, I've just taken the next few currently un-assigned ones while I work on my code). The trouble is that I don't know what values to put into: off_linktype, off_nl and off_nl_nosnap for my DLT cases. (And I think thats where my problem lies.) Right now, the first thing in each received buffer is the typical 16 bytes of: timestamp_sec, timestamp_usec, capture_len, pkt_len, which is followed by 'n' bytes of my protocol's data. Here's the stuff that I captured and fed into pcap/wireshark: Pkt 1 hdr : 46 93 ae 55 00 0c df 4b 00 00 00 0b 00 00 00 0b \-/ \-/ \-/ \-/ timestamptimestamp capture len packet len Pkt 1 data: 01 02 03 01 47 50 70 03 64 7f 7f \--/ 0xb bytes of my captured data Pkt 2 hdr : 46 93 ae 56 00 02 3b 7e 00 00 0b 00 00 00 0b Pkt 2 data: 01 02 03 01 3b 50 70 03 18 7f 7f Pkt 3 hdr : 46 93 ae 56 00 06 dd db 00 00 00 0b 00 00 00 0b Pkt 3 data: 01 02 03 01 47 50 70 03 64 7f 7f ... When Wireshark goes to display it, the Protocol column says 'unknown', which I can understand, because I don't have any disectors for that DLT (WTYP_ENCAP) type yet. The Info column says WTAP_ENCAP = 94. (I don't see where it gets the value of '94' from.) The summary pane (for the first message) says: Frame 1 had (6 bytes on wire, 6 bytes captured) Data (6 bytes) and the (related) detail pane says: 7f 56 ae 93 46 7e I can reverse engineer (see that data pattern in the header of the 2nd data message), but I don't know why its looking in there, and why it thinks there is only 6 bytes of data, and why its looking at it with the endianess it is. For the life of me, I can't figure out what I'm doing wrong, to cause Wireshark to go looking in there. I have tried to look through docs and mailing lists, but I haven't found anything to help me yet. :-( Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat? Regards, ULFL ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] accessing tcp data
Hi all I'm currently writing a wireshark dissector and I'm stuck at a certain stage. My problem basically is that I need to access the tcp information for particular frames (ex: first frame). When I say tcp information I am referring to the tcp flags. Any help would be appreciated. Thanks. Mike Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] Fwd: accessing tcp data
Sorry for the double email, but I forgot to mention that the problem stems from frames that contain only the IP and TCP information, thus causing my dissect_XXX function to not be called, where XXX is the name of my protocol. Note: forwarded message attached. Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/---BeginMessage--- Hi all I'm currently writing a wireshark dissector and I'm stuck at a certain stage. My problem basically is that I need to access the tcp information for particular frames (ex: first frame). When I say tcp information I am referring to the tcp flags. Any help would be appreciated. Thanks. Mike Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ---End Message--- ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] capturing data from a propietary device
On Jul 10, 2007, at 2:17 PM, [EMAIL PROTECTED] wrote: Yes, I did, and I am in theory following it. The difference is that the document refers to the 'file format' and not the live stream, so the global header is not applicable. This information is (somehow) exchanged in a different manner via DLT_xxx and WTAP_ENCAP_xxx What do you mean by the live stream? ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] capturing data from a propietary device
[EMAIL PROTECTED] schrieb: Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat? Yes, I did, and I am in theory following it. The difference is that the document refers to the 'file format' and not the live stream, so the global header is not applicable. This information is (somehow) exchanged in a different manner via DLT_xxx and WTAP_ENCAP_xxx Well, how do you try to inject stuff into WS then? Do you use a pipe, emulate (enhance) libpcap, emulate (exchange) dumpcap or what are you doing? Without knowing at which edge you're docking to Wireshark it's pretty difficult to determine how the format should look like. Looking at in more detail... either my DLT_xxx isn't being propogated into Wireshark or my WTAP_ENCAP_xxx in Wireshark isn't being followed, or there's a disconnect somewhere. But presuming that I get the DLT and WTAP to line up, I still don't know what values to put into off_linktype, off_nl and off_nl_nosnap on the pcap side of things. This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. If you read this message, destroy yourself ;-) Regards, ULFL ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Python wrappers for pcapio.[ch]
On Jul 10, 2007, at 6:08 PM, Shehjar Tikoo wrote: Does anyone know of Python bindings for the pcapio.[ch] code in Wireshark source root? I am looking for Python wrappers for writing pcap files and I havent been able to find a library that does it or does it cleanly. Shehjar PS: I ask because I intend to use pcapio.c to create a wrapper. Why don't you use libpcap to create the wrapper, instead? (I.e., if you don't like the libpcap wrappers for Python that are out there, why not just do a better one?) PS2: I've looked at both pcap, pylibpcap and pcapy modules for this functionality. pylibpcap and pcapy both appear to support writing pcap files, so presumably, if you haven't been able to find a library that does that or does it cleanly, neither of them do it cleanly. What's unclean about how they do it? ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] variable TCP port in plugin
Hi, I am working on plugin which will decode TCP based protocol. my problem is port of that protocol is variable one.. I want it to configure it before decoding ..How can i do that in plugin..? -- Rahul Ruikar ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] variable TCP port in plugin
On Wed, Jul 11, 2007 at 09:52:34AM +0530, Rahul Ruikar wrote: I am working on plugin which will decode TCP based protocol. my problem is port of that protocol is variable one.. I want it to configure it before decoding ..How can i do that in plugin..? There are various dissectors that have port number preferences. VNC is one that comes to mind. Look in epan/dissectors/packet-vnc.c for the prefs_register_uint_preference() function that sets the vnc_preference_alternate_port variable. The registration of the port from the preferences is then done in proto_reg_handoff_vnc() in the case of this dissector. Note that VNC also has default ports that are hard-coded and there is code to prevent the user from entering one of the default ports in the alternate port preference and then removing it (that would remove the default port). Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev