On Jun 18, 2017, at 5:54 PM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:
> Some time ago I wrote a program that reads Microsoft IIS web log files and converts them into PCAP-NG format. I then wrote a matching dissector to produce nice neat output. I want to rewrite it because:
>
> • The field names and data types are defined in the first record of the PCAP-NG file – this is how the dissector knows the layout of the file
> • Each data record is encapsulated in a dummy Ethernet frame and I want to eliminate this
> • I’d like to make it more general so that it can also deal with CSV, TSV and, later, variable format log records
Do you mean "deal with arbitrary CSV and TSV files" or "deal with IIS Web logs that are in CSV and TSV format"?
And is there any reason not to just take the log file reading part of your code, make it into a libwiretap module that *directly* reads those files using a WTAP_ENCAP_IIS_LOG encapsulation, and write a dissector for WTAP_ENCAP_IIS_LOG?
Note that this would require support for random access to the file when reading it.
