Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] PcapNG format support for dumpcap

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Roland Knall <rknall@xxxxxxxxx>
Date: Thu, 16 Jul 2015 21:38:57 +0200
Thank you for your reply. 

We have not been investigating far into dumpcap as of right now, so we just assumed that the capture would be passed directly. But from what I am reading, this sounds good enough for us.

I agree, that this is a non-trivial project, but we really would need something like that, and we are actively looking into that. If and when we are going to develop something like that has not been decided yet.

kind regards,
Roland

On Thu, Jul 16, 2015 at 9:20 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jul 16, 2015, at 12:49 AM, Roland Knall <rknall@xxxxxxxxx> wrote:

> I've filed a bug report (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370) for support in dumpcap and wireshark, to enable pcapng as a data format for capturing.

By which you presumably mean "enable pcap-ng as a data format that dumpcap supports when capturing from a pipe", as dumpcap has been able to *write* pcap-ng dump files for several releases - and has even *defaulted* to pcap-ng for the past few releases.

> We would need this for an extcap interface, where we would use the packet comments to add additional information to each packet, as otherwise we wold have to write text files during capture, and these files are not forwarded correctly if a customer sends in a trace. Also we have to handle to data formats for the utility as of right now, which seems a little bit bloated.
>
> My question therefore is, is anyone working on that,

Not that I know of.

> or are there reasons why not?

It's a non-trivial project, and you're the first one who needed it enough to start looking at it?

> If noone is working on this, could one of the main developers offer a guess on where to change the interfaces for this?

You'd need to:

        change cap_pipe_open_live() to recognize both pcap and pcap-ng files;

        either change cap_pipe_dispatch() to do different operations for pcap and pcap-ng files, or have two pipe dispatch routines, one for pcap files and one for pcap-ng files;

        add new callback routines that, when given a pcap-ng packet, queues it or writes it, and use them when capturing from a pipe/socket that delivers pcap-ng files.

> My guess so far after poking around in the code a little bit would be, that in dumpcap itself the change would not be that big, as it seems to pass through whatever it reads, after initially checking on the file format. The bigger changes have to be done on the other side of the capture pipe in the XXshark utilities.

Umm, why would any changes be needed *at all* to them?

Wireshark and TShark have been able to read pcap-ng files for several releases now, and, for the past few releases, it's let dumpcap write its default pcap-ng format and reads it quite happily.  They wouldn't even *know* that dumpcap was capturing from a pipe, much less that pcap-ng rather than pcap packets were being delivered on the pipe.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube