Thank you for your answers. For now I will start to use the PDML file. Later on I will try to do it using the Wireshark API.
On Tue, Mar 10, 2009 at 01:27, Guy Harris <[email protected]> wrote: > > On Mar 9, 2009, at 5:27 PM, Richard Sharpe wrote: > >> At each layer it extracts the fields it needs and puts them into the >> protocol tree or the columns, however, there is no library that allows >> you to parse a packet and then say: >> >> give me the value of the field tcp.flags or smb.fid or so forth >> >> Ethereal is not organized that way. > > Well, not *entirely* true, but it's not as if there's some library > that lets you do that *conveniently*. > > In reasonably recent versions of Ethereal - and thus in all versions > of Wireshark, as the "epan" library was created before the program was > renamed from Ethereal to Wireshark - the library (called "libethereal" > in Ethereal, and "libwireshark" in Wireshark) has routines: > > epan_init() - initializes the library; > > epan_dissect_new() - allocates an epan_dissect_t structure to hold > the context of a dissection, and returns a pointer to it; > > epan_dissect_prime_dfilter() - tells the library which fields you'll > need to look at (although the API is *really* oriented towards > "display filters" so you can't just do it by giving it the names of > the fields); > > epan_dissect_run() - hand it an epan_dissect_t, the pseudo-header for > the packet as returned by *another* Wireshark library (libwiretap), > the raw packet data for the packet (as returned by libwiretap), and > some other information; > > epan_dissect_free() - releases the epan_dissect_t when you're done > with the dissection and have extracted the information you want from > the result. > > The values of the fields can be found by looking in the protocol tree > pointed to by the "tree" member of the epan_dissect_t; you'd have to > walk through the tree looking for instances of the fields. > > As one can tell from the number of places where I just waved my hands > rather than giving details, this is rather complicated. The library > was *not* designed to be used by arbitrary applications, so the API is > somewhat oriented towards its use in Wireshark and TShark. > > And, just to add to the complication, I didn't mention that Wireshark > dissector maintain state between packets, which they might require in > order to properly dissect packets, so somebody would want to use > libwiretap to read an entire capture file, calling epan_dissect_new()/ > epan_dissect_prime_dfilter()/epan_dissect_run()/epan_dissect_free() on > each of the packets. > > So I'm not sure it's possible to have a "simple" program that uses > it. It might be easier to have TShark read the capture file and > produce a version of the protocol tree as PDML, and have the program > read the PDML file, as Stephen Donnelly suggested. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe > -- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/ ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
