On Mar 6, 2022, at 3:52 PM, Christian <chris@xxxxxxxxxxxxx> wrote:
> Hello out there, I created a kernel probe module and I want to watch the
> outputs of this module with pcap/Wireshark. Just like usbmon. So I
> defined a char device in the dev-directory /dev/kpnode from which the
> pcap interface can read the output of that module. In order to enable
> Wireshark to read from this device, I started to place a handler
> function into libpcap:
> In pcap.c I put in
> #ifdef PCAP_SUPPORT_KPNODE
> #include "pcap-kpnode.h"
> #endif
> and later:
> #ifdef PCAP_SUPPORT_KPNODE
> { kpnode_findalldevs, kpnode_create },
> #endif
> further down:
> #ifdef PCAP_SUPPORT_KPNODE
> || strstr(device, "kpnode") != NULL
> #endif
>
> The functions kpnode_findalldevs and kpnode_create are in my files
> pcap-kpnode.c and pcap-kpnode.h. They are not finished yet but the
> subject of this mail is for now, how to connect these functions into
> libpcap and Wireshark so that they are evoked if a device /dev/kpnode
> emerges.
You do it in libpcap.
Then:
if you have a version of Wireshark that's linked with your version of libpcap;
and if kpnode_findalldevs() works, so that its devices show up in Wireshark when it calls pcap_findalldevs();
and if kpnode_create() works, so that it can be opened in Wireshark when it calls pcap_create() on a kpnode device and it can be activated with pcap_activate();
and if dumpcap - which is the program in Wireshark that calls pcap_findalldevs(), pcap_create(), and pcap_activate() - in that version of Wireshark is set up to run with sufficient privileges to open kpnode devices (that may require that it be set-UID to root, or it may not);
and if those devices either use an existing LINKTYPE_/DLT_ value that Wireshark can dissect, or it uses a LINKTYPE_USERn/DLT_USERn value and you've written a dissector for that type and either built it into Wireshark or built it into a plugin for Wireshark and set it up for the USERn value in question;
then it should Just Work in Wireshark.
The bulk of this is a libpcap question, and should be asked on tcpdump-workers@xxxxxxxxxxxxxxxxx.
The part that's relevant to Wireshark would be:
"How do I build a version of Wireshark that's linked with my version of libpcap?" The answer is "install it on your system, complete with headers - the library and headers will, by default, be under /usr/local - and then configure Wireshark from scratch; the CMake configuration for Wireshark should find the /usr/local version and use your libpcap."
"How do I write a dissector for my new link-layer type (assuming that you can't just use an existing LINKTYPE_/DLT_ value)?" The answer is more complicated.
The rest of your question amounts to
> What did I miss to integrate my handlers into pcap library?
which is a libpcap question and should be asked on tcpdump-workers@xxxxxxxxxxxxxxxxx.