Hello,
A few months ago, I wrote a tool that lets me use Wireshark's packet
dissection capabilities in Matlab, to numerically analyze packets. For
example:
>> b = tshark_read('ws1.pcap', {'frame.number', 'ip.version',
'tcp.seq', 'udp.dstport', 'frame.pkt_len'}, 'ip.version eq 4')
b =
1x14630 struct array with fields:
frame_number
ip_version
tcp_seq
udp_dstport
frame_pkt_len
>> b(3)
ans =
frame_number: 6
ip_version: 4
tcp_seq: []
udp_dstport: 9618
frame_pkt_len: 1042
>>
With this array of structs, a Matlab programmer could trivially plot
packet fields with respect to time, or whatever.
My code, however, makes use of (among other things) the general
bootstrapping portion of libwireshark's API, and I've run into
compatibility issues between successive versions of Wireshark that have
similar, but not identical, bootstrapping APIs. Does the Wireshark
project intend to standardize this part of the libwireshark soon?
If the Wireshark is not intending to standardize libwireshark's API
anytime soon, would the developers consider creating #defines for major,
minor, and minorminor numbers for the current version of wireshark, so I
can create preprocessor directives based on these to account for further
changes to the libwireshark API? For example, I'd like something like this:
#define VERSION "0.99.5" // already exists
#define VERSION_MAJOR 0
#define VERSION_MINOR 99
#define VERSION_MINORMINOR 5
Lastly, is the general public interested in this tool?
Let me know your thoughts. Thanks!
Armen
--
Armen Babikyan
MIT Lincoln Laboratory
armenb@xxxxxxxxxx . 781-981-1796
