Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Wireshark and Google Summer of Code 2010

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 25 Feb 2010 18:29:14 -0800
On Feb 25, 2010, at 5:46 AM, Jakub Zawadzki wrote:

> I'd like to make ncurses frontend for wireshark

Unless it depends on features in ncurses not in System V curses, it should probably be called "cshark" - there might still be some UN*Xes that use System V curses rather than ncurses.  (I don't know whether any non-ancient UN*Xes provide only the original BSD curses, but BSD curses has a lot less functionality than SV curses, so it's probably not a useful target; SV curses is probably the minimum target for which you'd want to develop.)

> Wireshark for big captures is sometimes slow, it eats lot of memory,
> and because of gui - it's not easy to use it remotely.

If the version you're running remotely is X11-based (which currently means "not Windows"), it can be done, although you'd have to set DISPLAY, set your X server up to accept connections from it, etc..

> tshark is better, but it's not interactive.
> I think nshark could fill gap between wireshark and tshark.

It'd still have the memory issue, and probably some of the speed issue, although it'd be easier to run remotely, and wouldn't require that the remote machine have X11 libraries including GTK+ installed.

> I've got also some other ideas, like:
> - Possibility to edit & craft new packets inside wireshark.
>   To easy change private information, like: mac/ip address, mask passwords.

A scheme by which you could specify fields to obscure, by name, might be useful; you'd probably want to maintain a table of mappings (e.g., mapping a given IP or MAC address to another address, mapping a given string to another string) so that the same mapping occurs for a given value of the field.

>   It'd be also possible to fast check how wireshark dissector will behave 
>   if you change this byte to another value... :)

...and that might be useful in combination with the packet injection feature.

> Some plugins idea:
> - Packet injection.
> - Service emulator based on sniffed information.

Presumably those would be UI plugins.