On Jun 29, 2022, at 10:23 PM, Benjamin Mixon-Baca <bmixonba@xxxxxxx> wrote:
> I am writing a tool that processes pcap/pcapng files and extracts metadata about packets, such as the frequency of specific bytes, and information about specific byte sequences. Is there a way for me to integrate this into a pcap/pcapng file such that when wireshark reads the pcap file, my metadata gets displayed somehow?
Pcap no, pcapng yes.
> As an example, imagine I have a packet such as
>
> | ip | tcp | payload
> -------------------------------------
> | | | "client_ip=X.X.X.X"
> .
> .
> .
> | | | "client_ip=Y.Y.Y.Y"
>
>
> I want to be able to somehow highlight and/or annotate the string "client_ip" with, e.g., the number of times this string occurs. Is there a way to accomplish this using pcapng extensions or custom block types in some way?
Possibility 1: add a comment that say something such as
The string "client_ip" appears N times in this packet.
to each packet. (Remember, if N = 1, it's "time".)
Possibility 2: add your own custom option type to say similar things.
The advantage of possibility 1 is that it requires precisely zero changes to Wireshark, and the metadata will be preserved by any program that fully supports reading and writing pcapng files.
Custom block types wouldn't add the metadata to packets, it'd add it to the file, with the user, or the program reading the file, having to associate metadata items with the packets to which they apply.