On Mar 6, 2022, at 3:52 PM, Christian <ch...@argonautx.net> wrote: > Hello out there, I created a kernel probe module and I want to watch the > outputs of this module with pcap/Wireshark. Just like usbmon. So I > defined a char device in the dev-directory /dev/kpnode from which the > pcap interface can read the output of that module. In order to enable > Wireshark to read from this device, I started to place a handler > function into libpcap: > In pcap.c I put in > #ifdef PCAP_SUPPORT_KPNODE > #include "pcap-kpnode.h" > #endif > and later: > #ifdef PCAP_SUPPORT_KPNODE > { kpnode_findalldevs, kpnode_create }, > #endif > further down: > #ifdef PCAP_SUPPORT_KPNODE > || strstr(device, "kpnode") != NULL > #endif > > The functions kpnode_findalldevs and kpnode_create are in my files > pcap-kpnode.c and pcap-kpnode.h. They are not finished yet but the > subject of this mail is for now, how to connect these functions into > libpcap and Wireshark so that they are evoked if a device /dev/kpnode > emerges.
You do it in libpcap. Then: if you have a version of Wireshark that's linked with your version of libpcap; and if kpnode_findalldevs() works, so that its devices show up in Wireshark when it calls pcap_findalldevs(); and if kpnode_create() works, so that it can be opened in Wireshark when it calls pcap_create() on a kpnode device and it can be activated with pcap_activate(); and if dumpcap - which is the program in Wireshark that calls pcap_findalldevs(), pcap_create(), and pcap_activate() - in that version of Wireshark is set up to run with sufficient privileges to open kpnode devices (that may require that it be set-UID to root, or it may not); and if those devices either use an existing LINKTYPE_/DLT_ value that Wireshark can dissect, or it uses a LINKTYPE_USERn/DLT_USERn value and you've written a dissector for that type and either built it into Wireshark or built it into a plugin for Wireshark and set it up for the USERn value in question; then it should Just Work in Wireshark. The bulk of this is a libpcap question, and should be asked on tcpdump-work...@lists.tcpdump.org. The part that's relevant to Wireshark would be: "How do I build a version of Wireshark that's linked with my version of libpcap?" The answer is "install it on your system, complete with headers - the library and headers will, by default, be under /usr/local - and then configure Wireshark from scratch; the CMake configuration for Wireshark should find the /usr/local version and use your libpcap." "How do I write a dissector for my new link-layer type (assuming that you can't just use an existing LINKTYPE_/DLT_ value)?" The answer is more complicated. The rest of your question amounts to > What did I miss to integrate my handlers into pcap library? which is a libpcap question and should be asked on tcpdump-work...@lists.tcpdump.org. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe