Wireshark-dev: Re: [Wireshark-dev] Anyone heard of Netdude?

From: Gregory Seidman <gsslist+wireshark@xxxxxxxxxxxxxxxxxx>
Date: Mon, 7 Feb 2011 14:36:28 -0500
On Mon, Feb 07, 2011 at 08:18:11PM +0100, bernoulli wrote:
> Though I'm not in the core dev team, I think the main task of wireshark
> is sniffing the net. The main task of netdude is to edit packets in order
> to do tests with packet injection later on. Because, when sniffing, we
> want to be as passively as possible I think it is not necessary to do
> packet editing in Wireshark.

It's possible that the right approach is another frontend, in the same way
that Tshark and Wireshark are separate, or maybe an editing mode that is
disabled by default. I've wanted to do testing with packet injection (using
BitTwist) in the past, and wound up editing a PCAP file in a hex editor.
The main reason to want Wireshark (or another frontend in the Wireshark
project) to be the editor is the wealth of existing dissectors. Sure, it
isn't too tough to write something to change an IP header, but how about
changing a field in a structure deep in an SNMP packet?

In addition, lots of companies develop their own internal protocols, and
develop Wireshark dissectors internally to help them debug. If the same
dissectors they've already developed could help generate test data as well,
so much the better. One could argue that such internal development does
nothing to further the goals of an open source project, but even aside from
supporting users who submit bugs and fixes for them as a result of their
use, it is rewarding to make something that is useful and used.

> I've tested netdude too, and it is dead! The program still uses gtk+
> (version 1) and isn't thus compiling onder modern linux versions. And all
> the mailinglists for netdude are dead, too. So there is indeed the
> problem that there exists no graphical toolkit for packetediting - which
> is free - in the moment afaik. But, again, I think Wireshark is not the
> right place for packet editing.

Ah, interesting. Thanks for the info on netdude. I clearly disagree with
you in that I think Wireshark (the project, though not necessarily the
existing GUI) is the best possible place for packet editing.

> Regards,
>    Marc.
--Greg

> Am 07.02.2011 19:20, schrieb Gregory Seidman:
> >I recently ran across Netdude<http://netdude.sf.net/>. I haven't played
> >with it, but it appears to have aims similar to Wireshark. It looks like
> >Wireshark is MUCH more mature, but there may be something to be learned
> >from it.
> >
> >In particular, it's primary feature seems to be that it can edit fields in
> >packets. Has there been any thought toward Wireshark supporting editing? Is
> >there a strong reason not to (other than the technical difficulty involved,
> >which is not insignificant)?
> >
> >--Greg
> >