Wireshark-dev: Re: [Wireshark-dev] Adding custom metadata to packets
From: Benjamin Mixon-Baca <bmixonba@xxxxxxx>
Date: Thu, 30 Jun 2022 10:29:37 -0600
I would absolutely use wireshark if I didn't have 120398757120938 packets to deal with :-<.
On Thu, Jun 30, 2022 at 10:26 AM Roland Knall <rknall@xxxxxxxxx> wrote:
Or you could use just the comment feature in wireshark ;-)___________________________________________________________________________Am Do., 30. Juni 2022 um 18:20 Uhr schrieb chuck c <bubbasnmp@xxxxxxxxx>:If you'd like to kick the tires with a POC, editcap supports adding frame and capture comments:___________________________________________________________________________On Thu, Jun 30, 2022 at 11:15 AM Roland Knall <rknall@xxxxxxxxx> wrote:Well I do know of no direct example, but a good overview over pacpng can be found here: https://wiki.wireshark.org/Development/PcapNg
Just ignore any bug reference, the page is outdated. As far as I know we have fully implemented the comment blocks within Wireshark and it should point you in the right direction. Also, the specification might be of some help: https://www.ietf.org/staging/draft-tuexen-opsawg-pcapng-02.htmlcheersRoland___________________________________________________________________________Am Do., 30. Juni 2022 um 18:07 Uhr schrieb Benjamin Mixon-Baca <bmixonba@xxxxxxx>:Thank you, Guy and Roland!Do either of you happen to know of some programming examples/documentation for modifying the pcapng format as in possibility one?___________________________________________________________________________On Thu, Jun 30, 2022 at 2:04 AM Roland Knall <rknall@xxxxxxxxx> wrote:To add to possibility 1 by Guy, comments per packet are being displayed in the Packet Detail pane in Wireshark. So it would be readily available to anyone opening the trace file without really having to search for it.cheersRoland___________________________________________________________________________Am Do., 30. Juni 2022 um 09:59 Uhr schrieb Guy Harris <gharris@xxxxxxxxx>:On Jun 29, 2022, at 10:23 PM, Benjamin Mixon-Baca <bmixonba@xxxxxxx> wrote:
> I am writing a tool that processes pcap/pcapng files and extracts metadata about packets, such as the frequency of specific bytes, and information about specific byte sequences. Is there a way for me to integrate this into a pcap/pcapng file such that when wireshark reads the pcap file, my metadata gets displayed somehow?
Pcap no, pcapng yes.
> As an example, imagine I have a packet such as
>
> | ip | tcp | payload
> -------------------------------------
> | | | "client_ip=X.X.X.X"
> .
> .
> .
> | | | "client_ip=Y.Y.Y.Y"
>
>
> I want to be able to somehow highlight and/or annotate the string "client_ip" with, e.g., the number of times this string occurs. Is there a way to accomplish this using pcapng extensions or custom block types in some way?
Possibility 1: add a comment that say something such as
The string "client_ip" appears N times in this packet.
to each packet. (Remember, if N = 1, it's "time".)
Possibility 2: add your own custom option type to say similar things.
The advantage of possibility 1 is that it requires precisely zero changes to Wireshark, and the metadata will be preserved by any program that fully supports reading and writing pcapng files.
Custom block types wouldn't add the metadata to packets, it'd add it to the file, with the user, or the program reading the file, having to associate metadata items with the packets to which they apply.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://urldefense.com/v3/__https://www.wireshark.org/lists/wireshark-dev__;!!IKRxdwAv5BmarQ!clMQ_DdV3Mcd2iffjlHXsWjTbDhGsY5AXFxeEx4RqEgaxqbw_1J3ceUKErb6NjOuenv6_rFQ3pSXog$
Unsubscribe: https://urldefense.com/v3/__https://www.wireshark.org/mailman/options/wireshark-dev__;!!IKRxdwAv5BmarQ!clMQ_DdV3Mcd2iffjlHXsWjTbDhGsY5AXFxeEx4RqEgaxqbw_1J3ceUKErb6NjOuenv6_rHs9KFi0A$
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://urldefense.com/v3/__https://www.wireshark.org/lists/wireshark-dev__;!!IKRxdwAv5BmarQ!dXwSemzunMvKRtenjgSeMAOX_xll7bfh9mdvay6ml4zigHORkq-u516H4lB_C1V5wbZL1R-7myvZUg$
Unsubscribe: https://urldefense.com/v3/__https://www.wireshark.org/mailman/options/wireshark-dev__;!!IKRxdwAv5BmarQ!dXwSemzunMvKRtenjgSeMAOX_xll7bfh9mdvay6ml4zigHORkq-u516H4lB_C1V5wbZL1R_4atps0A$
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-dev] Adding custom metadata to packets
- From: Benjamin Mixon-Baca
- Re: [Wireshark-dev] Adding custom metadata to packets
- From: Guy Harris
- Re: [Wireshark-dev] Adding custom metadata to packets
- From: Roland Knall
- Re: [Wireshark-dev] Adding custom metadata to packets
- From: Benjamin Mixon-Baca
- Re: [Wireshark-dev] Adding custom metadata to packets
- From: Roland Knall
- Re: [Wireshark-dev] Adding custom metadata to packets
- From: chuck c
- Re: [Wireshark-dev] Adding custom metadata to packets
- From: Roland Knall
- [Wireshark-dev] Adding custom metadata to packets
- Prev by Date: Re: [Wireshark-dev] Adding custom metadata to packets
- Next by Date: Re: [Wireshark-dev] Adding custom metadata to packets
- Previous by thread: Re: [Wireshark-dev] Adding custom metadata to packets
- Next by thread: Re: [Wireshark-dev] Adding custom metadata to packets
- Index(es):