Is there any recommended way of annotating capture files in a way that
Wireshark could display in nice way on the UI? I would like to be able
to insert text comments between frames and it would also be nice to be
able to add expert info entries. So far, I've been using a dummy frame
that I generate in the driver with some bogus headers and ASCII text.
Sure, the information is available in Wireshark, but it is not exactly
in user friendly format.
As a new use case, I'm working on a protocol analyzer that goes
through IEEE 802.11 frames and maintains similar state to what the
actual devices have internally to allow most parts of the protocol use
to be verified. In theory, something similar could be done in
packet-ieee80211.c and airpdcap, but at least for me, it is quite a
bit easier to work with an external tool. However, the main drawback
of that is lack of easy access to marking up the capture with
annotation regarding incorrect protocol use (i.e., something that
should fit in quite nicely with Wireshark expert info, I'd think) and
other comments.
There is an open bugzilla case (Bug 3096) on similar functionality
from couple of years ago. Has there been any progress on this since
then? Is pcap-ng likely to materialize any time soon? Would there be
other ways of doing this more quickly? Since I'm concentrating on IEEE
802.11 captures with radiotap headers, I would assume I could extend
that with a vendor specific extension etc. to mark the annotations
(and expert info entries?). Sure, it may not be applicable to all link
types, but it may be better than waiting for years for something nicer
to show up..
Would patches to add some kind of annotations using radiotap
extensions or some other vendor specific protocol extensions (e.g.,
Vendor-specific IEEE 802.11 Action frame, etc. that has a unique
identified since I would assign an OUI/sub-type for this purpose) be
accepted?
- Jouni
