Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 9 Mar 2009 18:27:03 -0700

On Mar 9, 2009, at 5:27 PM, Richard Sharpe wrote:

At each layer it extracts the fields it needs and puts them into the
protocol tree or the columns, however, there is no library that allows
you to parse a packet and then say:

  give me the value of the field tcp.flags or smb.fid or so forth

Ethereal is not organized that way.

Well, not *entirely* true, but it's not as if there's some library that lets you do that *conveniently*.

In reasonably recent versions of Ethereal - and thus in all versions of Wireshark, as the "epan" library was created before the program was renamed from Ethereal to Wireshark - the library (called "libethereal" in Ethereal, and "libwireshark" in Wireshark) has routines:

	epan_init() - initializes the library;

epan_dissect_new() - allocates an epan_dissect_t structure to hold the context of a dissection, and returns a pointer to it;

epan_dissect_prime_dfilter() - tells the library which fields you'll need to look at (although the API is *really* oriented towards "display filters" so you can't just do it by giving it the names of the fields);

epan_dissect_run() - hand it an epan_dissect_t, the pseudo-header for the packet as returned by *another* Wireshark library (libwiretap), the raw packet data for the packet (as returned by libwiretap), and some other information;

epan_dissect_free() - releases the epan_dissect_t when you're done with the dissection and have extracted the information you want from the result.

The values of the fields can be found by looking in the protocol tree pointed to by the "tree" member of the epan_dissect_t; you'd have to walk through the tree looking for instances of the fields.

As one can tell from the number of places where I just waved my hands rather than giving details, this is rather complicated. The library was *not* designed to be used by arbitrary applications, so the API is somewhat oriented towards its use in Wireshark and TShark.

And, just to add to the complication, I didn't mention that Wireshark dissector maintain state between packets, which they might require in order to properly dissect packets, so somebody would want to use libwiretap to read an entire capture file, calling epan_dissect_new()/ epan_dissect_prime_dfilter()/epan_dissect_run()/epan_dissect_free() on each of the packets.

So I'm not sure it's possible to have a "simple" program that uses it. It might be easier to have TShark read the capture file and produce a version of the protocol tree as PDML, and have the program read the PDML file, as Stephen Donnelly suggested.