Hi,
A number of people have asked about loading Wireshark data into a SQL database, both on this mailing list and on the Wireshark wiki. Command Five Pty Ltd <http://www.commandfive.com> has just released a free (GNU) tool called C5 SIGMA <http://www.commandfive.com/downloads/c5sigma.html> that automates the task of processing multiple capture files through TShark and loading the results into SQL Server. The tool could be ported to other database systems fairly easily (source code is available for download).
C5 SIGMA works by flattening the protocol tree into a set of tables, columns and foreign keys with a schema that is generated automatically from the TShark XML. Standard Wireshark field names are used where available and "intelligently" generated names are used for text nodes (i.e. you can query against fields that you normally can't write filters for). The generated names don't include any capture data (so you won't end up with tables named "www_google_com" or "joebloggs_at_wireshark_org" etc).
We've found C5 SIGMA invaluable as a tool for intrusion analysis and data correlation, hopefully you also find it useful. If you have feedback, bug reports, feature requests, or would like to contribute to the source code please let us know: <sigma@xxxxxxxxxxxxxxx>
Regards,
Thomas Richards
--
COMMAND FIVE PTY LTD
www.commandfive.com
