Wireshark-users: [Wireshark-users] Wireshark scripting?

From: David <lists@xxxxxxxxx>
Date: Tue, 05 Feb 2008 10:20:02 +0000
Has any thought ever been given to giving Wireshark a scripting engine? I'm not fussed what language, Python or similar would be nice. This could make it much easier to do custom things with packets or streams.

As I see it, Wireshark currently has some excellent features such as:

- fairly reliable stream reassembly
- excellent protocol decoding
- a command-line equivalent that has all the same features
- standard pcap filtering but also display filtering with access to protocol fields

From a scripting engine, the following sorts of things would be useful and allow Wireshark to undertake a whole variety of extra tasks:

- per packet or per stream inspection
- access to the raw packet data at a certain level (e.g. Ethernet->IP->TCP->data) to save it/inspect it - access to headers of certain protocols to rewrite them, e.g. changing MAC addresses or vlan headers
- access to the decoded protocol fields, e.g. TCP->data->http.request.uri

Many of the current statistics scripts could be rewritten using it, which might suffer a speed penalty but would allow a lot of customisation.

There are plenty of tools to do some of these things but many of them struggle with anything other than pcap (or can only capture from the network), cannot handle frames with extra headers such as vlan, will only process ethernet etc.

David