On Oct 18, 2013, at 2:57 AM, Bogdan Harjoc <[email protected]> wrote:
> Hi, if you can add pid+process name as a plugin it would be great,
There's no place in the Wireshark code at which to insert such a plugin.
One place for code to find that information would be in the packet capture
path. That would require a capture file format capable of saving that
information; pcap-ng can do that in at least a couple of ways:
1) put it in a per-packet comment, which is what tcpdump on OS X
Mountain Lion and later will do if you tell them to write pcap-ng files (it
gets that information from libpcap, which gets it from OS X's BPF, which
supplies it for some - but not all! - *outgoing* packets only);
2) use the Hone Linux-Sensor project:
https://github.com/HoneProject/Linux-Sensor
extensions to pcap-ng:
https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt
(they get it through a bunch of Linux kernel modules), and add
support for those extensions (I have been restructuring the libwiretap library
to make it handle pcap-ng, including extensions, better; that will include some
fairly significant API changes - I haven't had time to work on it recently, but
I'll try to get back to it at some point).
The first requires only changes to dumpcap (which currently does not support
plugins, and, if it ever supports them, will do so in a *very* controlled
fashion, as it might have to run with special privileges in order to be able to
capture traffic, and privileges+plugins is a bit of an invitation to cracking),
plus whatever OS changes, if any, are needed to get that information in the
first place.
The second would require changes to libwiretap, as well as dumpcap changes and
OS changes as needed.
There's no place to insert plugins into, for example, the IP dissection code
path, as your changes do by modifying the IPv4 dissector.
I.e.:
> On Fri, Oct 18, 2013 at 10:44 AM, 无聊小青年 <[email protected]> wrote:
> Dear sir:
> I am a beginner on wireshark and I find that your CODE attached on
> wireshark.org is very useful to me. Should I implement this plugin as the
> same steps I do when adding a self-designed dissector?
Bogdan's code, at least the version at
http://www.wireshark.org/lists/wireshark-dev/201212/msg00070.html
is *not* a plugin, it's a patch to the Wireshark source code.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
