A lot of folks use bittwiste, perl/python scripts, or maybe even the DLT_USER method to do something similar based on their goals, but to this point I haven't found an embedded method to process packets on the fly and wanted to know if others thought it was possible before I even tried. I have a scenario where I have a UDP packet that always uses a UDP src/dst port of say XXXX and the headers are always 42 bytes in length. Within the payload of the frame is the actual data frame to include headers, etc. I was thinking that it would be possible to write a dissector to filter on 'static int global_protocol_port = XXXX', strip off 42 bytes and handoff. However, the more I read into the process of how Wireshark dissects packets, I'm not sure this is even possible to do on the fly as packets are being received on the wire. Any thoughts on this are more than welcome and appreciated. asked 10 Mar '14, 04:47  LonestarZ06 |
One Answer:
You should look into tap listeners, in this case for the udp_follow tap. answered 10 Mar '14, 05:50  Jaap ♦ |
do you need a continuous monitoring solution (running 24x7) that prints parts of your UDP payload as the frames fly by?