James Gilsinn wrote: > What I am looking for is a way to have a way to filter a capture file > for specific packets and then pull particular pieces of data out of > those packets. The data that I need to pull out is not always what is > displayed in the "single-line" packet display that Wireshark and Tshark > display. Most of the data we need is only displayed in the full packet > view. I've tried to use Wireshark/TShark to convert these files to > PDML, but then they explode to multiple hundreds of Megabytes. I have > not found a good way to process these large files. > > My project involves doing performance analysis on industrial Ethernet > devices. Right now, I am working on cyclic jitter analysis of the > EtherNet/IP protocol (CIP and ENIP). I am using a commercial network > analyzer to collect the data, then I post-process the data in Tshark and > some custom software. I would like to eliminate the Tshark step because > of the reasons I described above. I would like to find a way under > Windows to connect to Wireshark via a socket interface (or Tshark if > absolutely necessary) that could maintain the binary nature of the data > and allow me access to the specific data I need.
You might want to take a look at rawshark. It reads from files and pipes instead of sockets, but should do what you need otherwise: http://www.wireshark.org/docs/man-pages/rawshark.html _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
