On Dec 19, 2006, at 2:28 PM, Romain Goyet wrote:
Hi there,
So, I've seen that some people before me offered to port Wireshark
to Mac OS X, but eventually didn't :-). So, don't get me wrong, I know
WireShark already runs really well on Apple's OS, but it doesn't
natively. Here are the options I already gave a try :
-> Build GTK+ and its dependencies, and then run Wireshark under
Apple's X11. That works just fine, but it's a pain in the *** to
build. It takes forever, you have to keep tweaking makefiles, etc...
That probably depends on how GTK+ and dependencies are built.
I build and install the dependencies from source. With:
pkgconfig-0.15.0
gettext-0.14.1
glib-2.4.8
atk-1.8.0
pango-1.4.1
gtk+-2.4.14
it's pretty much configure/make/make install for those libraries, at
least on Tiger, if you do them in that order. The only tricky part is
gtk+, where I explicitly configure out the gdk-pixbuf loaders - --
without-libpng, --without-libjpeg, and --without-libtiff.
Once I've done that, Wireshark, at least from SVN, is just configure/
make/make install. I've never tweaked Makefiles in that process.
So, what do you guys think ? I'd be willing to help make a native Mac
OS X GUI for WireShark, but I don't know wether it's really worth it.
In case you think it'd be a good idea, how much work would that
represent ?
A lot.
One big problem is that native OS X applications have a model where
there is only one process for all windows. Wireshark does not
currently support having multiple files open, or doing multiple
captures in parallel, and having multiple files open, at least, would
be a significant change - you'd have to either get rid of a lot of
global variables, or a have a thread per capture file and put them
into the per-thread data.
From what I've seen in the sourcecode, it looks like
wireshark is really tied to GTK+. The problem is that the UI part is
virtually undocumented. And what about "libwireshark" ? Is it a
library that basically does everything, and the GTK+ UI just links to
it and displays the results ?
Libwireshark does packet dissection and operation such as that. It
has absolutely *no* GUI code, as TShark also uses it, and TShark has
no GUI.