James Gilsinn wrote:
> What I am looking for is a way to have a way to filter a capture file
> for specific packets and then pull particular pieces of data out of
> those packets. The data that I need to pull out is not always what is
> displayed in the "single-line" packet display that Wireshark and Tshark
> display. Most of the data we need is only displayed in the full packet
> view. I've tried to use Wireshark/TShark to convert these files to
> PDML, but then they explode to multiple hundreds of Megabytes. I have
> not found a good way to process these large files.
>
> My project involves doing performance analysis on industrial Ethernet
> devices. Right now, I am working on cyclic jitter analysis of the
> EtherNet/IP protocol (CIP and ENIP). I am using a commercial network
> analyzer to collect the data, then I post-process the data in Tshark and
> some custom software. I would like to eliminate the Tshark step because
> of the reasons I described above. I would like to find a way under
> Windows to connect to Wireshark via a socket interface (or Tshark if
> absolutely necessary) that could maintain the binary nature of the data
> and allow me access to the specific data I need.
You might want to take a look at rawshark. It reads from files and pipes instead
of sockets, but should do what you need otherwise:
http://www.wireshark.org/docs/man-pages/rawshark.html