ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Stephen Donnelly <Stephen.Donnelly@xxxxxxxxxx>
Date: Wed, 30 Aug 2017 23:58:02 +0000
> Richard Sharpe Sent: Saturday, 17 June 2017 5:28 AM
>
> > On Fri, Jun 16, 2017 at 9:36 AM, Kvidera, Evan D <EKvidera15@xxxxxxxxxx> wrote:
> > Hello Wireshark Devs,
> >
> > My name is Evan Kvidera and I am a senior undergraduate student 
> > studying Computer Science. I have a decent amount of programming 
> > experience, but only a little in C. My employer has asked me to try to 
> > add support for piping pcap-ng captures to Wireshark.
> > I have read over the bug report requesting the feature, 
> > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370.
> >
> > After reading the mailing list archives here, 
> > https://www.mail-archive.com/wireshark-dev@xxxxxxxxxxxxx/msg33336.html
> > , it looks like this addition will be nontrivial, but doable, and that 
> > the changes necessary are all going to be in dumpcap.
> >
> > I have at least a month or two of full-time work I can dedicate to 
> > this if necessary, although I am hoping it will not take that long.
> >
> > I have read through the Wireshark Developer's Guide and looked over 
> > the style guide for Wireshark. Is there anything else I should know 
> > before starting development? I will try to develop this as 
> > independently as possible, but I may have a few questions along the way.
>
> Hi Evan,
>
> I looked at this back in 2012 and even proposed a patch that might be useful to you:
>
>       http://seclists.org/wireshark/2012/May/25
>
> No doubt it was a little too simplistic but if I find some time next week while I am in Seattle I might try to resurrect it and see if it works.

Why pcap-ng specifically? Although pcap-ng is higher featured than pcap, it is not Wireshark's internal representation. Pcap-ng is merely the default output format.

Since Wireshark has the ability to detect and read multiple formats already in wiretap, why not leverage that?

At the very least extcap tools should be able to supply data in any format understood by wiretap, but since the extcap data currently goes via dumpcap (maybe not sensible either?) they are restricted to pcap only and have to convert to that internally, potentially losing information.

Wouldn’t it be better for the capture tool to indicate which of the wiretap formats it intends to use, rather than switching from one fixed format to a different fixed format? This would then support both pcap and pcap-ng intrinsically, as well as all other formats.

Regards,
Stephen
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube