On Jun 4, 2009, at 12:48 PM, Satish Chandra wrote:
I don't know how the output from dumpcap goes to wireshark. I wish
to replace dumpcap with my utility and want wireshark to decode the
byte stream on run-time.
In other words, you want to do a live capture of packets from some
source other than libpcap/WinPcap.
When doing a live capture in Wireshark (or TShark), whenever a set of
packets arrives, dumpcap writes them to a pcap-format capture file
sends to Wireshark (or TShark) a message saying that some number of
packets have arrived.
A pcap-format file is, in some sense, a byte stream, as *all* files on
UN*X or Windows (except for "special files" on UN*X) are, ultimately,
(seekable) byte streams. However, as is the case with most non-text
files, the byte stream has a certain structure to it; it's not just a
raw byte stream.
The format of the messages sent over the pipe between Wireshark/TShark
and dumpcap is subject to change (and probably *will* change over
time). I would not recommend trying to replace dumpcap at this point.
Instead, what I would recommend that you do is to have your utility
write pcap-format files to a named pipe, and, in Wireshark, capture
from a "device" that is the named pipe. For example, on UN*X, you
could create a temporary named pipe "capturepipe" in /tmp:
mkfifo /tmp/capturepipe
and then:
start your program and have it write a pcap-format file header,
followed by the sequence of packets in pcap-file format, to that pipe;
start up Wireshark and have it capture from "/tmp/capturepipe".
I don't know how that would be done on Windows, but there might be
similar things one could do with named pipes.