This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

The Company that I work for wants to know some specific information about the open source Wireshark product.

From what I've researched it looks like it will do everything that I will state below, but my boss wants me to ask people who have used it before to make sure that it can do some key things.

These include:

Customizing the reader to interpret unrecognized packet types - It looks like creating a dissector plugin would work for this.

Having the Graph show the information in a meaningful way - From what documentation I saw on the IO Graph it seems that any information that can be represented by a graph can be configured after making a dissector to be able to read the packets.

Saving the packets with some added information - We wanted to add a header for time received and written to database, this is pretty trivial because even if Wireshark didn't have the functionality of an adding a header or some type of time stamp information this would be pretty easy to implement.

Please let me know if Wireshark can't fulfill any of these, like I said it looks like it will in the documentation. We're just pretty paranoid about a product not working for some unforeseen reason and we don't have the time to do an in depth investigation of the Wireshark product.

asked 27 Nov '12, 15:42

mthwedwards's gravatar image

mthwedwards
6114
accept rate: 0%

edited 27 Nov '12, 15:43

I have to ask:

What is the ultimate objective ?

Based upon the "interpret unrecognized packet types" requirement, I could get the impression that the objective to build some kind of intrusion detection ?

If so, I would expect there are tools more specialized and suitable for this purpose than Wireshark.

Also: What is the definition of "unrecognized packet types" ? Identifying same could be pretty tricky.

(28 Nov '12, 08:02) Bill Meier ♦♦

We're creating a new communication protocol standard and we want to use Wireshark as a listener to capture all of the messages. The data that it captures will only be looked at for investigating performance issues and user mistakes, which should be rare. So we'll know the packet and the protocol before hand, it just doesn't exist yet since we're still developing it.

(28 Nov '12, 08:27) mthwedwards
2

O.K. instead of writing your own dissector, you could try to use the Wireshark Generic Dissector

http://wsgd.free.fr/

If your protocol is not to 'complicated', wsgd should be sufficient.

(28 Nov '12, 09:44) Kurt Knochner ♦

Wow, this is great. Thank you for the advice Kurt.

(28 Nov '12, 09:59) mthwedwards

Customizing

Yes, by adding a dissector you can extend the protocol "know-how" of Wireshark.

Graphs

Yes. IO Graphs are pretty powerfull if you need "statistics" about various characteristics of packets/protocols.

Saving packets

There is already a timestamp in the frame. So, no real need to add that. But you are right, if you have any special requirements regarding the timestamp you can extend Wireshark to your needs.

and we don't have the time to do an in depth investigation of the Wireshark product.

That's kind of strange. If you are willing to write extensions for Wireshark, that will take much more time than downloading Wireshark and looking at it for 1-2 days ;-)

Anyway, Wireshark is a brilliant tool for network troubleshooting, and as it's open source, you can add whatever functionality you need, besides the tons of features already implemented. So, it looks like the right tool for you, based on the information you provided.

Regards
Kurt

permanent link

answered 27 Nov '12, 16:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Nov '12, 16:47

I agree, it does sound really odd that we're willing to write extensions for Wireshark, but aren't willing to look at it for 1-2 days. My boss is just conservative with how we spend our time since we're a small team, and we've been burned by a freeware product that looked amazing on paper and upfront, but once we set it up with a client server set up it became very buggy.

Anyways, thank you for the speedy reply, my boss will be happy to hear that the product is what we're looking for.

(28 Nov '12, 07:23) mthwedwards

good luck. If you have any further questions regarding Wireshark, you know where to ask ;-))

(28 Nov '12, 08:40) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×72
×40
×3
×1

question asked: 27 Nov '12, 15:42

question was seen: 2,278 times

last updated: 28 Nov '12, 09:59

p​o​w​e​r​e​d by O​S​Q​A