Am Do., 30. Juni 2022 um 18:07 Uhr schrieb Benjamin Mixon-Baca <
bmixonba@xxxxxxx>:
Thank you, Guy and Roland!
Do either of you happen to know of some programming examples/documentation for modifying the pcapng format as in possibility one?
To add to possibility 1 by Guy, comments per packet are being displayed in the Packet Detail pane in Wireshark. So it would be readily available to anyone opening the trace file without really having to search for it.
cheers
Roland
On Jun 29, 2022, at 10:23 PM, Benjamin Mixon-Baca <bmixonba@xxxxxxx> wrote:
> I am writing a tool that processes pcap/pcapng files and extracts metadata about packets, such as the frequency of specific bytes, and information about specific byte sequences. Is there a way for me to integrate this into a pcap/pcapng file such that when wireshark reads the pcap file, my metadata gets displayed somehow?
Pcap no, pcapng yes.
> As an example, imagine I have a packet such as
>
> | ip | tcp | payload
> -------------------------------------
> | | | "client_ip=X.X.X.X"
> .
> .
> .
> | | | "client_ip=Y.Y.Y.Y"
>
>
> I want to be able to somehow highlight and/or annotate the string "client_ip" with, e.g., the number of times this string occurs. Is there a way to accomplish this using pcapng extensions or custom block types in some way?
Possibility 1: add a comment that say something such as
The string "client_ip" appears N times in this packet.
to each packet. (Remember, if N = 1, it's "time".)
Possibility 2: add your own custom option type to say similar things.
The advantage of possibility 1 is that it requires precisely zero changes to Wireshark, and the metadata will be preserved by any program that fully supports reading and writing pcapng files.
Custom block types wouldn't add the metadata to packets, it'd add it to the file, with the user, or the program reading the file, having to associate metadata items with the packets to which they apply.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://urldefense.com/v3/__https://www.wireshark.org/lists/wireshark-dev__;!!IKRxdwAv5BmarQ!clMQ_DdV3Mcd2iffjlHXsWjTbDhGsY5AXFxeEx4RqEgaxqbw_1J3ceUKErb6NjOuenv6_rFQ3pSXog$
Unsubscribe: https://urldefense.com/v3/__https://www.wireshark.org/mailman/options/wireshark-dev__;!!IKRxdwAv5BmarQ!clMQ_DdV3Mcd2iffjlHXsWjTbDhGsY5AXFxeEx4RqEgaxqbw_1J3ceUKErb6NjOuenv6_rHs9KFi0A$
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe