Harry J Moyes wrote:
> Suggestion. Is it feasible to create an "annotation" pseudo protocol and
supporting functionality in Wireshark,
If by "pseudo protocol" you mean a fake protocol running atop the link
layer, it could be done (Microsoft's Network Monitor uses a similar trick
to store statistics in captures), but, if you want to make it generally
usable, you'd not only have to come up with an Ethernet type for it (for
Ethernet and other 802 networks), you'd have to come up with a PPP type
for it (for PPP captures) and so on; that might be especially difficult
for "raw IP" captures (where the capture would need an *IP* protocol
The pcap-ng format has a provision for attaching descriptive text to
various records in the file, which would be the right ultimate solution.
> I'll happily add a wiki entry for the suggestion the list considers it
to have some merit. I understand that it implies registering the pseudo
protocol with pcap.
Not unless you make a fake DLT_ value, the header for which would
presumably include the real link-layer type; using a scheme like that
would mean that any tool you'd want to be able to read files with that
type would have to be changed to support it, and if the application
weren't prepared to handle the link-layer type being in the per-packet
"link-layer" header, which a lot might not be, that wouldn't be possible
without a lot more work. It might also make using libpcap filters
difficult if not impossible.
Making fake Ethernet, PPP, etc. types would probably work better, and
wouldn't require anything to be registered with libpcap.
> And I realise there may be some reluctance to adding effusively a simple
text editor to Wireshark.
GUI toolkits all, as far as I know, have a multi-line text field widget,
which means that Wireshark already links with libraries that have (very)
simple text editors.