I am looking to add to Wireshark the ability to do live capture from the Hone Linux sensor <https://github.com/HoneProject/Linux-Sensor><https://github.com/HoneProject/Linux-Sensor>. Hone is a tool for correlating packets to processes and provides PCAP-NG data directly from a character device. The additional PCAP-NG options and blocks provided by Hone are described on the GitHub wiki <https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format><https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format>, but aren't relevant to this discussion.
Currently, the character device has to be read from and copied to a file to view the output in Wireshark. The easiest way to do this is with cat (i.e. `cat /dev/hone > hone.pcapng`), but that can result in a partial PCAP-NG block being written at the end of the capture as cat doesn't know about block boundaries. The hone log daemon included with the sensor source, honelogd, communicates with the driver to ensure it finishes on a block boundary (i.e. `honelogd -f hone.pcapng`). The resulting capture file can then be read by wireshark.
What is the best way to do live capture on a character special device which is already in PCAP-NG format? I was originally considering modifying dumpcap, but after looking at the code some, I'm not sure that is the right approach. The character device needs to be opened and the output can be used directly, but will need to be copied to the temp file or ring buffer because the device doesn't support seeking. When the capture is stopped, an ioctl needs to be issued to the character device to return zero from read() after the current packet is completely read.
Any help here is much appreciated.
Thanks,
Brandon
--
__________________________
Brandon Carpenter
Secure Cyber Systems, CSA
National Security Directorate
Pacific Northwest National Laboratory
www.pnnl.gov<http://www.pnnl.gov>
