Wireshark-dev: Re: [Wireshark-dev] Using Wireshark packet parsers and pretty printers
From: Guy Harris <[email protected]>
Date: Mon, 9 Mar 2009 18:27:03 -0700
On Mar 9, 2009, at 5:27 PM, Richard Sharpe wrote:

At each layer it extracts the fields it needs and puts them into the
protocol tree or the columns, however, there is no library that allows
you to parse a packet and then say:

  give me the value of the field tcp.flags or smb.fid or so forth

Ethereal is not organized that way.
Well, not *entirely* true, but it's not as if there's some library  
that lets you do that *conveniently*.
In reasonably recent versions of Ethereal - and thus in all versions  
of Wireshark, as the "epan" library was created before the program was  
renamed from Ethereal to Wireshark - the library (called "libethereal"  
in Ethereal, and "libwireshark" in Wireshark) has routines:
	epan_init() - initializes the library;

epan_dissect_new() - allocates an epan_dissect_t structure to hold the context of a dissection, and returns a pointer to it;
	epan_dissect_prime_dfilter() - tells the library which fields you'll  
need to look at (although the API is *really* oriented towards  
"display filters" so you can't just do it by giving it the names of  
the fields);
	epan_dissect_run() - hand it an epan_dissect_t, the pseudo-header for  
the packet as returned by *another* Wireshark library (libwiretap),  
the raw packet data for the packet (as returned by libwiretap), and  
some other information;
	epan_dissect_free() - releases the epan_dissect_t when you're done  
with the dissection and have extracted the information you want from  
the result.
The values of the fields can be found by looking in the protocol tree  
pointed to by the "tree" member of the epan_dissect_t; you'd have to  
walk through the tree looking for instances of the fields.
As one can tell from the number of places where I just waved my hands  
rather than giving details, this is rather complicated.  The library  
was *not* designed to be used by arbitrary applications, so the API is  
somewhat oriented towards its use in Wireshark and TShark.
And, just to add to the complication, I didn't mention that Wireshark  
dissector maintain state between packets, which they might require in  
order to properly dissect packets, so somebody would want to use  
libwiretap to read an entire capture file, calling epan_dissect_new()/ 
epan_dissect_prime_dfilter()/epan_dissect_run()/epan_dissect_free() on  
each of the packets.
So I'm not sure it's possible to have a "simple" program that uses  
it.  It might be easier to have TShark read the capture file and  
produce a version of the protocol tree as PDML, and have the program  
read the PDML file, as Stephen Donnelly suggested.