Hello developers,
I'm planning to develop a feature for two use cases. I'd like to control (or
better select) the currently displayed packet from another process. I don't
think Wireshark currently offers such a feature, so I'd like to get ideas how I
should implement this. Let me first describe what I'd like to do.
I often have multiple capture files made a different points in the network and I
want to track certain packets as they showed up the the capture files. I can
start multiple Wireshark processes and load a capture file into each of them.
Now I want to add a "fingerprint" to each packet, probably in the packet_info
structure. The different dissectors can then calculate a fingerprint of the
payload and set the fingerprint variable. Of course the idea is that my multiple
Wireshark processes with the multiple capture files will see the same packets
and the dissectors will calculate the same fingerprints. When I now select a
packet in one of the Wiresharks I can ask that Wireshark to send a "goto
request" to any other running Wireshark. The goto request will include the
fingerprint of the current packet. When a Wireshark receives such a goto request
it will check if it knows about a packet with such a fingerprint and then goes
to that packet.
The second use case is correlating capture files with log files (webserver,
syslog). The log files usually contain a timestamp information (only with second
precision, but better than nothing). I want to write a log file viewer which for
every line calculates the Unix timestamp. If I select a line in my log file
viewer it send a "goto request" to all running Wiresharks. Here the goto request
contains the unix timestamp and Wireshark will go to the first packet >= the
timestamp. The idea is that I can select an interesting point in time in my log
file and see packets from that time in Wireshark.
Both use cases involve a sender and multiple receiver scenario. I don't need to
send these requests to a different computer, so a local message bus is
sufficient. In the KDE and Gnome world
http://www.freedesktop.org/wiki/Software/dbus would be a natural choice, but I
don't think that Wireshark uses dbus on Windows or OsX.
So I'd like to get opinions what kind of technology for the inter process
communication I should use, that will work on Windows, OsX and the Linux/BSD
world. Did someone start such a project? Would we prefer a certain existing
protocol/library? I could also think about simply using a multicast socket and
send messages across. This would without further effort allow Wireshark control
from different hosts.
--
---> Dirk Jagdmann
----> http://cubic.org/~doj
-----> http://llg.cubic.org
