This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PCAP-NG header data (IDB options) in Wireshark GUI

0

My program writes PCAP-NG files. I open them with Wireshark.

Among others, my program writes in the Section Header Block its name and a description of the platform (options shb_ hardware, shb_ os, shb_ userappl) and for each Interface Description Block a description of the network interface and the capture filter (options if_ description and if_ filter).

All these data i can see when i open the dump file with Wireshark and look at Statistics->Summary.

My program writes other data in the dump file: in each Interface Description Block, it also writes the system name of the network interface, as well as its IPv4 addresses and its MAC address (options if_ name, if_ IPv4addr and if_ MACaddr).

These latter data i can't see through Wireshark. Do i miss something in Wireshark's GUI or is there any utility that reads PCAP-NG files and puts out all these fields?

asked 29 Sep '13, 02:36

ime-braun's gravatar image

ime-braun
1445
accept rate: 0%

One Answer:

1

You can see the Interface name in the Statistics->Summary, if you take a look at the first column of the list below the capture file comments. Wireshark does not show IP addresses or MACs for interfaces at the moment, at least as far as I can tell.

I've just updated TraceWrangler to show MAC and IP addresses in the PCAPng Structure Viewer, so if you run Windows somewhere you could use it to see them. Add your trace to the list, click on it, and select the "PCAPng Structure" Tab at the bottom.

PCAPng Structure Viewer

answered 29 Sep '13, 04:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

  1. Interface name In the column you mention under Statistics->Summary, Wireshark shows the interface description (option if_description), not the name (option if_name). Wiresharks shows the interface name when there's no interface description in the PCAP-NG dump, it seems: Wireshark itself doesn't write any interface description (as you can check by opening a Wireshark dump with HexEdit or your TraceWrangler), so the Wireshark GUI shows the interface name; my program writes in a PCAP-NG dump file the interface name as well as an interface description, so the Wireshark GUI shows the interface description instead.
  2. Addresses TraceWrangler works great, thanks. The only issue is, it shows the IPv4 address bytes in reverse order: i write in the PCAP-NG dump file 192 168 3 75 (in this byte order) and TraceWrangler shows "75.3.168.192"
(01 Oct '13, 01:39) ime-braun

Hm, maybe I forgot to byte-swap the IP address, which would mean that I forgot it in two places - writing and reading the option :-) I'll have to check my code when I get home.

About the interface name - I didn't test yet what happens if both name and description are present, which is why I thought the name is in the summary.

(01 Oct '13, 02:35) Jasper ♦♦

Is there a way to access these fields (section header , interface description) from plugin dissector code written in C?

(14 Dec '16, 10:16) rashmi_s