On Mar 6, 2022, at 3:52 PM, Christian <ch...@argonautx.net> wrote:
> Hello out there, I created a kernel probe module and I want to watch the
> outputs of this module with pcap/Wireshark. Just like usbmon. So I
> defined a char device in the dev-directory /dev/kpnode from which the
> pcap interface can read the output of that module. In order to enable
> Wireshark to read from this device, I started to place a handler
> function into libpcap:
> In pcap.c I put in
> #ifdef PCAP_SUPPORT_KPNODE
> #include "pcap-kpnode.h"
> #endif
> and later:
> #ifdef PCAP_SUPPORT_KPNODE
> { kpnode_findalldevs, kpnode_create },
> #endif
> further down:
> #ifdef PCAP_SUPPORT_KPNODE
> || strstr(device, "kpnode") != NULL
> #endif
>
> The functions kpnode_findalldevs and kpnode_create are in my files
> pcap-kpnode.c and pcap-kpnode.h. They are not finished yet but the
> subject of this mail is for now, how to connect these functions into
> libpcap and Wireshark so that they are evoked if a device /dev/kpnode
> emerges.
You do it in libpcap.
Then:
if you have a version of Wireshark that's linked with your version of
libpcap;
and if kpnode_findalldevs() works, so that its devices show up in
Wireshark when it calls pcap_findalldevs();
and if kpnode_create() works, so that it can be opened in Wireshark
when it calls pcap_create() on a kpnode device and it can be activated with
pcap_activate();
and if dumpcap - which is the program in Wireshark that calls
pcap_findalldevs(), pcap_create(), and pcap_activate() - in that version of
Wireshark is set up to run with sufficient privileges to open kpnode devices
(that may require that it be set-UID to root, or it may not);
and if those devices either use an existing LINKTYPE_/DLT_ value that
Wireshark can dissect, or it uses a LINKTYPE_USERn/DLT_USERn value and you've
written a dissector for that type and either built it into Wireshark or built
it into a plugin for Wireshark and set it up for the USERn value in question;
then it should Just Work in Wireshark.
The bulk of this is a libpcap question, and should be asked on
tcpdump-work...@lists.tcpdump.org.
The part that's relevant to Wireshark would be:
"How do I build a version of Wireshark that's linked with my version of
libpcap?" The answer is "install it on your system, complete with headers -
the library and headers will, by default, be under /usr/local - and then
configure Wireshark from scratch; the CMake configuration for Wireshark should
find the /usr/local version and use your libpcap."
"How do I write a dissector for my new link-layer type (assuming that you can't
just use an existing LINKTYPE_/DLT_ value)?" The answer is more complicated.
The rest of your question amounts to
> What did I miss to integrate my handlers into pcap library?
which is a libpcap question and should be asked on
tcpdump-work...@lists.tcpdump.org.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
