Wireshark-dev: Re: [Wireshark-dev] Questions on Wireshark plugins “show pid”
From: Guy Harris <[email protected]>
Date: Fri, 18 Oct 2013 12:58:57 -0700
On Oct 18, 2013, at 2:57 AM, Bogdan Harjoc <[email protected]> wrote:

> Hi, if you can add pid+process name as a plugin it would be great,

There's no place in the Wireshark code at which to insert such a plugin.

One place for code to find that information would be in the packet capture path.  That would require a capture file format capable of saving that information; pcap-ng can do that in at least a couple of ways:

	1) put it in a per-packet comment, which is what tcpdump on OS X Mountain Lion and later will do if you tell them to write pcap-ng files (it gets that information from libpcap, which gets it from OS X's BPF, which supplies it for some - but not all! - *outgoing* packets only);

	2) use the Hone Linux-Sensor project:

		https://github.com/HoneProject/Linux-Sensor

	   extensions to pcap-ng:

		https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt

	   (they get it through a bunch of Linux kernel modules), and add support for those extensions (I have been restructuring the libwiretap library to make it handle pcap-ng, including extensions, better; that will include some fairly significant API changes - I haven't had time to work on it recently, but I'll try to get back to it at some point).

The first requires only changes to dumpcap (which currently does not support plugins, and, if it ever supports them, will do so in a *very* controlled fashion, as it might have to run with special privileges in order to be able to capture traffic, and privileges+plugins is a bit of an invitation to cracking), plus whatever OS changes, if any, are needed to get that information in the first place.

The second would require changes to libwiretap, as well as dumpcap changes and OS changes as needed.

There's no place to insert plugins into, for example, the IP dissection code path, as your changes do by modifying the IPv4 dissector.

I.e.:

> On Fri, Oct 18, 2013 at 10:44 AM, 无聊小青年 <[email protected]> wrote:
> Dear sir:
>       I am a beginner on wireshark and I find that your CODE attached on wireshark.org is very useful to me. Should I implement this plugin as the same steps I do when adding a self-designed dissector?

Bogdan's code, at least the version at

	http://www.wireshark.org/lists/wireshark-dev/201212/msg00070.html

is *not* a plugin, it's a patch to the Wireshark source code.