Wireshark-dev: Re: [Wireshark-dev] Adding custom metadata to packets

From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Thu, 30 Jun 2022 11:20:32 -0500
If you'd like to kick the tires with a POC, editcap supports adding frame and capture comments:

On Thu, Jun 30, 2022 at 11:15 AM Roland Knall <rknall@xxxxxxxxx> wrote:
Well I do know of no direct example, but a good overview over pacpng can be found here: https://wiki.wireshark.org/Development/PcapNg

Just ignore any bug reference, the page is outdated. As far as I know we have fully implemented the comment blocks within Wireshark and it should point you in the right direction. Also, the specification might be of some help: https://www.ietf.org/staging/draft-tuexen-opsawg-pcapng-02.html

cheers
Roland

Am Do., 30. Juni 2022 um 18:07 Uhr schrieb Benjamin Mixon-Baca <bmixonba@xxxxxxx>:
Thank you, Guy and Roland!

Do either of you happen to know of some programming examples/documentation for modifying the pcapng format as in possibility one?

On Thu, Jun 30, 2022 at 2:04 AM Roland Knall <rknall@xxxxxxxxx> wrote:
To add to possibility 1 by Guy, comments per packet are being displayed in the Packet Detail pane in Wireshark. So it would be readily available to anyone opening the trace file without really having to search for it.

cheers
Roland

Am Do., 30. Juni 2022 um 09:59 Uhr schrieb Guy Harris <gharris@xxxxxxxxx>:
On Jun 29, 2022, at 10:23 PM, Benjamin Mixon-Baca <bmixonba@xxxxxxx> wrote:

> I am writing a tool that processes pcap/pcapng files and extracts metadata about packets, such as the frequency of specific bytes, and information about specific byte sequences. Is there a way for me to integrate this into a pcap/pcapng file such that when wireshark reads the pcap file, my metadata gets displayed somehow?

Pcap no, pcapng yes.

> As an example, imagine I have a packet such as
>
> |   ip  | tcp |  payload
> -------------------------------------
> |        |       |  "client_ip=X.X.X.X"
> .
> .
> .
> |        |       |  "client_ip=Y.Y.Y.Y"
>
>
> I want to be able to somehow highlight and/or annotate the string "client_ip" with, e.g., the number of times this string occurs. Is there a way to accomplish this using pcapng extensions or custom block types in some way?

Possibility 1: add a comment that say something such as

        The string "client_ip" appears N times in this packet.

to each packet.  (Remember, if N = 1, it's "time".)

Possibility 2: add your own custom option type to say similar things.

The advantage of possibility 1 is that it requires precisely zero changes to Wireshark, and the metadata will be preserved by any program that fully supports reading and writing pcapng files.

Custom block types wouldn't add the metadata to packets, it'd add it to the file, with the user, or the program reading the file, having to associate metadata items with the packets to which they apply.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://urldefense.com/v3/__https://www.wireshark.org/lists/wireshark-dev__;!!IKRxdwAv5BmarQ!clMQ_DdV3Mcd2iffjlHXsWjTbDhGsY5AXFxeEx4RqEgaxqbw_1J3ceUKErb6NjOuenv6_rFQ3pSXog$
Unsubscribe: https://urldefense.com/v3/__https://www.wireshark.org/mailman/options/wireshark-dev__;!!IKRxdwAv5BmarQ!clMQ_DdV3Mcd2iffjlHXsWjTbDhGsY5AXFxeEx4RqEgaxqbw_1J3ceUKErb6NjOuenv6_rHs9KFi0A$
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe