ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] developing a wireshark application

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 May 2007 09:16:07 -0700
naimg@xxxxxxxxxxxxxx wrote:

hello,
We are a group of sytems and networks engineering students in Antonine
university(Lebanon) trying to develop a network statistic application.
We created a connection to oracle database, now we are trying to export
data captured in wireshark to that database.
The question is can we access the database where wireshark stores its
information? or there is any functions that we can use to get the
information captured?
Wireshark saves captured packets in libpcap format; it's not really a database, in the sense of, for example, an Oracle database.
You can write a program that uses libpcap/WinPcap to read packets from a capture file - there are wrappers for libpcap/WinPcap in scripting languages such as Perl, Python, and Ruby - the Wikipedia page for pcap 

	http://en.wikipedia.org/wiki/Pcap

has a list of wrappers for libpcap/WinPcap in various languages.

*However*, what you have in that file is, for each packet:
a time stamp for when the packet was first seen by the low-level packet capture code in the OS (note that this could be later than when it was first seen by the host's network adapter, due to various delays in the OS); 

	the length of the packet as it was received from the network;
the number of bytes of packet data that were saved to the file (which could be less than the length of the packet, if you requested that only part of the packet be saved); 

	raw packet data.
"Raw packet data" means your code would have to parse the packet itself to find out what type of packet it is (IPv4, IPv6, ARP, IPX, etc.), to find out its link-layer source and destination address, its IPv4 or IPv6 address source or destination address if it's an IPv4 or IPv6 packet, the type of protocol running atop IP if it's an IPv4 or IPv6 packet, the {UDP, TCP} source and destination port number if it's a {UDP, TCP} packet, etc..
If you want information of that sort, you might want to have TShark read the file and then write it out in PSML or PDML format (they're XML-based formats), or use the -z proto,colinfo flag to get particular fields written out in the summary format, and then have a script read the output of TShark and write that information to the database.
Or, if your version of Wireshark is built with Lua support, it might be possible to write a Lua program to scan through the packets, get summary or detail information from each packet, and add items to the database for each packet, with something such as LuaSQL: 

	http://www.keplerproject.org/luasql/

(Luis, could something such as that be done?) with Wireshark or TShark.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube