Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] tshark output format

From: Sebastien Tandel <sebastien@xxxxxxxxx>
Date: Mon, 22 Jan 2007 18:44:20 +0100
Hi,

>>    I am developing an analysis of the events occurring in ISIS. This 
>> analysis should be an help to network operators to detect problems in 
>> their network. Of course, to do this we have to present the results of 
>> the analysis in a friendly fashion (many different graphs :)). 
>> Furthermore being able to access this information from anywhere and in 
>> real-time is really important for them. From anywhere, today, means 
>> being accessible from a web page. I was then wondering whether you'll 
>> accept a patch which performs an analysis by tshark outputting some 
>> text (hardly human readable) which could be easily inserted in a RRD 
>> by an external script (which could also be distributed by wireshark)?
>>     
>
> I think a better way to integrate this with Wireshark would be to add 
> the graphing capabilities to Wireshark itself.  There could be an option 
> to save these graphs once viewed.  Do you see a problem with doing it 
> this way?

I also would prefer to have something completely integrated to wireshark
but I've identified two problems ...

Currently you have to spend too much time (in terms of code to write) to
be able to output one graph in wireshark. On the other hand, I've also
seen that there is a point on the wishlist to implement a graph API with
a pointer to a library which seems not maintained anymore (libplot, last
release on July 2000). I've found gtkdatabox which can be very helpful
but only for GTK2 (last versions) I therefore have another question : Is
it possible to integrate new graph features (and analysis modules) in
wireshark without being compatible GTK1.2? Or do you have some others
propositions/pointers?


This library would resolve the API graph problem of wireshark for what
it is offering currently ... but if you think as a network operator of a
Tier-1 network (routers worldwidespread), he should be able to perform
the following :
1) captures network data remotely (on host X) => possible with
tshark/tcpdump,
2) analyse these captures (on another host?) => possible with
tshark/wireshark, and
3) be able to look at the graph results from *any* host of the network
without any human interaction (no save button) => wireshark can't do
that in a friendly fashion (vnc is not acceptable either).
I think wireshark should offer the third service as well. Letting
network operators writing their own scripts which parse current text
output of tshark is *not* a good idea. It takes too much time and is too
much dependent of the syntax output which may change at any moment.
On the other hand, imposing a host on which we could see the results is
also too restrictive. (aka one might be in NY for some days and being
unable to access the machine in Paris on which wireshark is doing the
analysis)
For this, we could link RRD with wireshark. If possible we might then
think to a graph API based on RRD. I don't know if it is really
desirable as it implies a "database".



What do you think?



Regards,

Sebastien Tandel