Wireshark-dev: Re: [Wireshark-dev] Using wireshark apis
From: "Luis EG Ontanon" <[email protected]>
Date: Thu, 3 Apr 2008 19:57:02 +0200
Merge, don't fork!

Unless unfeasible, the drive should be to add functionality to the
existing apps instead of writing new ones.

libwireshark was made into a lib to hold what wireshark and tshark had
to have in common, not to become a dissection libary for other apps.
I do not think there has never been an intention to share
libwireshark, and that's why there's no documentation on how to use
it. BTW it is GPLd not LGPLd, i.e.: programs that link to it must be


On Thu, Apr 3, 2008 at 6:14 PM, Eloy Paris <[email protected]> wrote:
> Hi Pavan,
>  On Thu, Apr 03, 2008 at 12:23:04PM +0530, Gupta, Pavan wrote:
>  > I would like to use Wireshark library apis to dissect packets.
>  >
>  > - Call a function in Wireshark providing the filename or buffer as
>  > input. File/buffer will have data in pcap format. This function should
>  > return me dissected data.
>  >
>  > Is there any function that can be called directly?
>  It's not as simple as that - you need to call several functions to
>  initialize the library, to load preferences (which are used by the
>  dissectors), to create the key epan_dissect_t structure, to dissect the
>  packet, to manage the dissection results, etc. It's not hard but the
>  point is that it is not as easy as "dissect(data, data_len)".
>  > I am trying to reverse engineer Wireshark (rather tshark) code but
>  > its taking time to understand the finer details. Also, please share
>  > the way how I can build my application that links to Wireshark
>  > .so libraries. Looking at tshark code, it seems load_cap_file( )
>  > function is the function that needs to be called, but before that
>  > some initialization needs to be done (like initializing dissector,
>  > etc.). The libraries that I need to link are libwiretap.so and
>  > libwireshark.so.
>  It happens that I also have been working on an application that uses
>  libwireshark services for packet dissection. I looked a lot at tshark
>  to understand how the libwireshark API is being invoked and ended up
>  writing a very simple program that allows me to easily play with things
>  without having to deal with the higher complexity of tshark and with the
>  wireshark build environment, and that allows me to play with things like
>  Makefiles and the autoconf script, etc. My test program doesn't have the
>  the bells and whistles that tshark has and uses libpcap to read packets
>  instead of libwirecap.
>  You can download the source code from:
>  http://www.chapus.net/wshark-test/
>  You may have better luck trying to understand this program instead
>  of tshark/wireshark.
>  I was thinking about using this little program as the basis of new
>  documentation on how to write applications that use libwireshark
>  services. Perhaps write a README.libwireshark for the doc/ directory and
>  host the source code for this program somewhere on the Wireshark wiki.
>  Comments from the developers regarding the merits of these ideas are
>  appreciated.
>  Cheers,
>  Eloy Paris.-
>  _______________________________________________
>  Wireshark-dev mailing list
>  [email protected]
>  http://www.wireshark.org/mailman/listinfo/wireshark-dev

This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan