Wireshark-dev: Re: [Wireshark-dev] Using wireshark apis

From: Eloy Paris <peloy@xxxxxxxxxx>
Date: Thu, 3 Apr 2008 12:14:19 -0400
Hi Pavan,

On Thu, Apr 03, 2008 at 12:23:04PM +0530, Gupta, Pavan wrote:

> I would like to use Wireshark library apis to dissect packets. 
> 
> - Call a function in Wireshark providing the filename or buffer as
> input. File/buffer will have data in pcap format. This function should
> return me dissected data.
> 
> Is there any function that can be called directly?

It's not as simple as that - you need to call several functions to
initialize the library, to load preferences (which are used by the
dissectors), to create the key epan_dissect_t structure, to dissect the
packet, to manage the dissection results, etc. It's not hard but the
point is that it is not as easy as "dissect(data, data_len)".

> I am trying to reverse engineer Wireshark (rather tshark) code but
> its taking time to understand the finer details. Also, please share
> the way how I can build my application that links to Wireshark
> .so libraries. Looking at tshark code, it seems load_cap_file( )
> function is the function that needs to be called, but before that
> some initialization needs to be done (like initializing dissector,
> etc.). The libraries that I need to link are libwiretap.so and
> libwireshark.so.

It happens that I also have been working on an application that uses
libwireshark services for packet dissection. I looked a lot at tshark
to understand how the libwireshark API is being invoked and ended up
writing a very simple program that allows me to easily play with things
without having to deal with the higher complexity of tshark and with the
wireshark build environment, and that allows me to play with things like
Makefiles and the autoconf script, etc. My test program doesn't have the
the bells and whistles that tshark has and uses libpcap to read packets
instead of libwirecap.

You can download the source code from:

http://www.chapus.net/wshark-test/

You may have better luck trying to understand this program instead
of tshark/wireshark.

I was thinking about using this little program as the basis of new
documentation on how to write applications that use libwireshark
services. Perhaps write a README.libwireshark for the doc/ directory and
host the source code for this program somewhere on the Wireshark wiki.

Comments from the developers regarding the merits of these ideas are
appreciated.

Cheers,

Eloy Paris.-