Bryant Eastham schrieb: > > All- > > I have been a user of Wireshark for several years. I have been writing > plugins for some internal protocols, but up until now have had limited > ability to repay the wireshark community. I now have a need that may > both help me, and allow some payback… > > First, let me say that I have been impressed with the new Expert Info > and have been integrating many protocol validations into my plugins. > As we develop implementations it is extremely useful for the engineers > to use this information as validation – saving a lot of frustration > during integration. Thanks Ulf! > :-) > > One potential use of both wireshark/tshark and expert info is not > supported, however. > > I would like to use a combination of tshark/expert info to “monitor” > our automated testing system and look for protocol violations. We > already have a great test harness, with the ability to switch OS, > network protocol, etc. automatically. What I would like to do is > configure some monitor ports on the 2 switches that we use, run the > VLAN monitors into another dedicated monitor box, and then capture all > the traffic during our test runs. This part is normal, no need for change. > > In order for this to work, however, I need to: > > 1. Identify which tests (programs) were running at the time (this part > is easy, I can instrument the tests to advertise themselves on the > network and that will get captured (along with address and port) with > everything else. > > 2. Process the capture(s) and identify protocol violations. I don’t > believe this is handled today. > I'm not sure if I got your point here.
Protocol violations is one of the things that expert infos is all about. Basically "Expert Infos" should be things that a protocol dissector detects to be "uncommon", "not in the specs" ... well, you get the point. This whole thing doesn't depend on any GUI releated stuff. > > I have seen some posts regarding tshark and expert infos, and I would > love to see this feature fleshed out. “Love” to the point that I am > willing to spend time to make it happen… > > However, I don’t want to tread on other’s areas of ownership or > reinvent the wheel, so I am asking the group for how to proceed. I > infer from several existing tshark features that outputting the expert > infos might not be extremely difficult. If it turns out that I am > wrong, then tell me now and I will not bother. If my assumption is > correct then I imagine that the first step would be to get consensus > on how to control and present the information. I imagine that making a > more concrete proposal on this list would be appropriate? > So this seems to be the more interesting question. I'm personally mostly use Wireshark, so I'm not an expert for tshark. Anyone with a good idea to display the expert info stuff for tshark? Regards, ULFL _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
