[Lee Brooks <lee.brooks.inbox@xxxxxxxxx>]

Hi,

The tool wasn't written inside Wireshark because it started off as a dissertation project where the GNU General Public License was problematic for the sponsoring party. Since then the third party have agreed to release the IP to the authors, allowing it to be released Open Source.

The application is used for analysing large amounts of data (>500Mb) so re-starting Wireshark (although not impossible) would take too long each time the user wants to update the filter.

Thank you for your advice, I will look into the Wireshark Lua plugin.

Thanks,

Lee

On 11 February 2013 17:53, Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx> wrote:

Not critiquing your approach, but if you've got a tool that analyzes pcap data for TCP/IP connections/stats, and also uses Wireshark, why not just write the tool inside Wireshark? (e.g., as a tap)

Alternatively, if your tool is stand-alone and uses Wireshark only for detailed drill-down on-demand, why not start Wireshark with the command line and use the "-R" command-line option to set the display filter?

Otherwise, using sockets/pipes to do it seems reasonable, but you may not need to modify Wireshark's C-code to accomplish it - you might be able use a Wireshark Lua plugin which uses LuaSocket to communicate to your application, and have the Lua plugin call set_filter() and apply_filter() to change the display filter.

-hadriel

On Feb 11, 2013, at 5:43 AM, Lee Brooks <lee.brooks.inbox@xxxxxxxxx> wrote:

Hi,

Thank you for replying.

Sure, firstly for other bespoke network analysis tools that aim to use Wireshark to analyse low level network data (but where the main focus of the tool isn't aimed at that level of detail). In comparison to it's alternatives Wireshark is feature-rich, very customisable and also stable which makes it desirable to hook into from other applications. This type of tool ranges from in-house testing tools to other open-source applications. 

For my self personally, a colleague and I are hoping to release a light-weight open source tool that provides a top-down view on network data. It has already been written, tested and used in anger by others at the company where we work. It analyses pcap data then provides statistics on a list of IP conversations between hosts, allowing you to drill down into details about the TCP Connections for each conversation. Then from TCP Connections it can drill down into the individual packet data where it currently hooks into a prototype-dev version of Wireshark (by changing the filters on the GUI). It also provides the ability to script your own data classifications to help identify specific network conditions quickly. Our aim is to release it to the open source community within the next few weeks/months.

In my opinion I would rather connect to a Wireshark remote control API than use a bespoke version or re-create the wheel.

I think a "GUI remote control" would only need to support "Change GUI Filter" and "Remove GUI Filter" although it has a lot more potential too. I have implemented these controls in our prototype-dev version or Wireshark and the source code supports it fairly well. 

Any help you can offer would be appreciated.

Thanks,

Lee

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe