The Company that I work for wants to know some specific information about the open source Wireshark product. From what I've researched it looks like it will do everything that I will state below, but my boss wants me to ask people who have used it before to make sure that it can do some key things. These include: Customizing the reader to interpret unrecognized packet types - It looks like creating a dissector plugin would work for this. Having the Graph show the information in a meaningful way - From what documentation I saw on the IO Graph it seems that any information that can be represented by a graph can be configured after making a dissector to be able to read the packets. Saving the packets with some added information - We wanted to add a header for time received and written to database, this is pretty trivial because even if Wireshark didn't have the functionality of an adding a header or some type of time stamp information this would be pretty easy to implement. Please let me know if Wireshark can't fulfill any of these, like I said it looks like it will in the documentation. We're just pretty paranoid about a product not working for some unforeseen reason and we don't have the time to do an in depth investigation of the Wireshark product. asked 27 Nov '12, 15:42 mthwedwards edited 27 Nov '12, 15:43 |
One Answer:
Yes, by adding a dissector you can extend the protocol "know-how" of Wireshark.
Yes. IO Graphs are pretty powerfull if you need "statistics" about various characteristics of packets/protocols.
There is already a timestamp in the frame. So, no real need to add that. But you are right, if you have any special requirements regarding the timestamp you can extend Wireshark to your needs.
That's kind of strange. If you are willing to write extensions for Wireshark, that will take much more time than downloading Wireshark and looking at it for 1-2 days ;-) Anyway, Wireshark is a brilliant tool for network troubleshooting, and as it's open source, you can add whatever functionality you need, besides the tons of features already implemented. So, it looks like the right tool for you, based on the information you provided. Regards answered 27 Nov '12, 16:45 Kurt Knochner ♦ edited 27 Nov '12, 16:47 I agree, it does sound really odd that we're willing to write extensions for Wireshark, but aren't willing to look at it for 1-2 days. My boss is just conservative with how we spend our time since we're a small team, and we've been burned by a freeware product that looked amazing on paper and upfront, but once we set it up with a client server set up it became very buggy. Anyways, thank you for the speedy reply, my boss will be happy to hear that the product is what we're looking for. (28 Nov '12, 07:23) mthwedwards good luck. If you have any further questions regarding Wireshark, you know where to ask ;-)) (28 Nov '12, 08:40) Kurt Knochner ♦ |
I have to ask:
What is the ultimate objective ?
Based upon the "interpret unrecognized packet types" requirement, I could get the impression that the objective to build some kind of intrusion detection ?
If so, I would expect there are tools more specialized and suitable for this purpose than Wireshark.
Also: What is the definition of "unrecognized packet types" ? Identifying same could be pretty tricky.
We're creating a new communication protocol standard and we want to use Wireshark as a listener to capture all of the messages. The data that it captures will only be looked at for investigating performance issues and user mistakes, which should be rare. So we'll know the packet and the protocol before hand, it just doesn't exist yet since we're still developing it.
O.K. instead of writing your own dissector, you could try to use the Wireshark Generic Dissector
If your protocol is not to 'complicated', wsgd should be sufficient.
Wow, this is great. Thank you for the advice Kurt.