Wireshark-dev: Re: [Wireshark-dev] Redirecting Wireshark output through a socket

From: Gustavo <gupa@xxxxxxxxxxxxxx>
Date: Fri, 16 Oct 2009 04:56:46 -0700 (PDT)
Da: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
>What exactly do you want to feed into the other tool?  

Possibly XML (pdml).

> In that case you should probably use 'tshark' and you could (I suppose 
> this would work on Windows) do something like:
>
> tshark -V -r /some/cap/file | the_other_analyzer
>
> though I doubt that the commercial tool will really understand this 
> output...


I
have probably been not very clear about this: the commercial tool is
not written yet, so we are (almost) free to change any specification.
This tool should do further analysis and statistics on the output generated (and dissected) by wireshark.
My
first idea was to use tshark too (I've just tried realtime capture and
export in pdml and it works perfectly), but it's not clear if the
client wants to have access to Wireshark interface (the main window).
For that reason we were thinking of adding a socket in Wireshark to
redirect the output (possibly in PDML) to the commercial tool which
should be listening and parsing it. The same think should work for a
capture file  (*.pcap for example) opened in Wireshark.
Now I'm
digging Wireshark code to find the best place (and way) to insert the
socket part, but first I was wondering if someone already had the same
problem, as it seems a common issue for using Wireshark with commercial
sw.