Wireshark-dev: Re: [Wireshark-dev] Wireshark-dev Digest, Vol 51, Issue 22

From: Mark Landriscina <mlandri1@xxxxxxx>
Date: Wed, 18 Aug 2010 16:04:42 -0400
Eloy,

I found two references Python related projects. First embedded the Python interpreter into Wireshark, so that one could call Python scripts from with Wireshark. The other was a project that allowed one to write dissectors in Python. Really, the first effort is closest to what I was looking for. In fact, this was the first approach that I tried a while back due to its simplicity. However, it turned out to be awkward to use in a larger Python-based automated program/framework.

You're correct, I could have kept tshark as an executable instead of a lib and then spawned it off as a separate process from within Python. This would have worked. I would still be able to access all the dissection data from within Python (via the named-pipe and the serialized data structs that I wrote). In the end, it wasn't any additional work to instead compile it as a library. Compiling as a lib allows me to call tshark as a Python function and then fork it off, which is what my code does. In then end, just boils down to preference, I suppose. :)

I took a look at your site. Pretty cool. Looks like you were way ahead of me but in tcl instead of Python. I'm using thsarkPY with code from a project named Scapy (not my code) to do similar things.

> Hi Mark,
> 
> On 08/18/2010 01:34 PM, Mark Landriscina wrote:
> 
> [...]
> 
> > My motivation was that I wanted to do some work with Scapy and needed
> > to access application layer protocol dissections within Python
> > without re-writing all the dissection code already available in
> > tshark/wireshark.
> 
> I am not a Python guy but my understanding is that there is Python 
> support in Wireshark trunk (perhaps in 1.4.x). Did you look into that 
> 
> and determined that it wasn't good enough for what you need? Just curious.
> 
> > a. Modified tshark code base and compiled it as a library,
> > libtshark.a. This is the original tshark executable, more or less,
> > with some notable additions. In particular, after packet dissection,
> > the epan dissection tree data is copied off into another tree
> > structure that I've defined. This t_dissect_node tree is then
> > serialized and written out over a named-pipe. The name of the
> > named-pipe is defined by the user at run-time. The code to
> > unserialize the t_dissect_node tree is also part of libtshark.a.
> > Also, I have incorporated some additional helper code that makes tree
> > navigation easier. A function named 'run' is called to start tshark
> > and accepts as parameters tshark command line args.
> 
> Any reason you chose to integrate tshark instead of libwireshark, 
> which 
> is what does all the dissection work, as Guy mentioned? I would guess 
> 
> that it is because it is easier to execute tshark than to fully 
> integrate libwireshark, but then I don't understand why you need to 
> make 
> tshark a library instead of just executing it from within Python.
> 
> I actually had a similar need and my approach was to interface with 
> libwireshark. You can check out my work at 
> 
> Cheers,
> 
> Eloy Paris.-
> netexpect.org
>