Hi Mark,
On 08/18/2010 01:34 PM, Mark Landriscina wrote:
[...]
My motivation was that I wanted to do some work with Scapy and needed
to access application layer protocol dissections within Python
without re-writing all the dissection code already available in
tshark/wireshark.
I am not a Python guy but my understanding is that there is Python
support in Wireshark trunk (perhaps in 1.4.x). Did you look into that
and determined that it wasn't good enough for what you need? Just curious.
a. Modified tshark code base and compiled it as a library,
libtshark.a. This is the original tshark executable, more or less,
with some notable additions. In particular, after packet dissection,
the epan dissection tree data is copied off into another tree
structure that I've defined. This t_dissect_node tree is then
serialized and written out over a named-pipe. The name of the
named-pipe is defined by the user at run-time. The code to
unserialize the t_dissect_node tree is also part of libtshark.a.
Also, I have incorporated some additional helper code that makes tree
navigation easier. A function named 'run' is called to start tshark
and accepts as parameters tshark command line args.
Any reason you chose to integrate tshark instead of libwireshark, which
is what does all the dissection work, as Guy mentioned? I would guess
that it is because it is easier to execute tshark than to fully
integrate libwireshark, but then I don't understand why you need to make
tshark a library instead of just executing it from within Python.
I actually had a similar need and my approach was to interface with
libwireshark. You can check out my work at http://netexpect.org.
Cheers,
Eloy Paris.-
netexpect.org