On Mar 9, 2009, at 5:27 PM, Richard Sharpe wrote:
At each layer it extracts the fields it needs and puts them into the
protocol tree or the columns, however, there is no library that allows
you to parse a packet and then say:
give me the value of the field tcp.flags or smb.fid or so forth
Ethereal is not organized that way.
Well, not *entirely* true, but it's not as if there's some library
that lets you do that *conveniently*.
In reasonably recent versions of Ethereal - and thus in all versions
of Wireshark, as the "epan" library was created before the program was
renamed from Ethereal to Wireshark - the library (called "libethereal"
in Ethereal, and "libwireshark" in Wireshark) has routines:
epan_init() - initializes the library;
epan_dissect_new() - allocates an epan_dissect_t structure to hold
the context of a dissection, and returns a pointer to it;
epan_dissect_prime_dfilter() - tells the library which fields you'll
need to look at (although the API is *really* oriented towards
"display filters" so you can't just do it by giving it the names of
the fields);
epan_dissect_run() - hand it an epan_dissect_t, the pseudo-header for
the packet as returned by *another* Wireshark library (libwiretap),
the raw packet data for the packet (as returned by libwiretap), and
some other information;
epan_dissect_free() - releases the epan_dissect_t when you're done
with the dissection and have extracted the information you want from
the result.
The values of the fields can be found by looking in the protocol tree
pointed to by the "tree" member of the epan_dissect_t; you'd have to
walk through the tree looking for instances of the fields.
As one can tell from the number of places where I just waved my hands
rather than giving details, this is rather complicated. The library
was *not* designed to be used by arbitrary applications, so the API is
somewhat oriented towards its use in Wireshark and TShark.
And, just to add to the complication, I didn't mention that Wireshark
dissector maintain state between packets, which they might require in
order to properly dissect packets, so somebody would want to use
libwiretap to read an entire capture file, calling epan_dissect_new()/
epan_dissect_prime_dfilter()/epan_dissect_run()/epan_dissect_free() on
each of the packets.
So I'm not sure it's possible to have a "simple" program that uses
it. It might be easier to have TShark read the capture file and
produce a version of the protocol tree as PDML, and have the program
read the PDML file, as Stephen Donnelly suggested.