This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Scenario:

my dedicated web server gets little traffic daily which is not surprising because there is little to offer, for example, in the last 20 minutes, there was approximately 0.001% of its monthly included bandwidth usage quota.

monthly, my bandwidth usage rarely exceeds 10%, however, yesterday, May 23rd, there was over 1% (11.8 GB) in just over 15 hours.

i launched WireShark and set it to save a new capture file every 10MB or 10 minutes ... most of the captured files were 10MB; in about 92 minutes WireShark saved 140 10MB capture files.

analyzing these files manually will take me a very long time ...

QUESTION

are there c# API's that i can use to code a programmatic solution?

types of analysis that i'd like to code include number of times a given ip address occurred, ranked by most frequent to least frequent, protocol distribution, ip with protocol, source bytes, destination bytes, et cetera.

Thank you. Gerry

asked 24 May '14, 09:17

gerryLowry's gravatar image

gerryLowry
11113
accept rate: 0%

edited 24 May '14, 09:19

my searches missed this: http://ask.wireshark.org/questions/10923/using-wireshark-libraries-in-c and another link that points to it. what i hope for is an simple c# API that already wraps libwireshark.dll and/or avoids complexity ... if libwireshark.dll is the only way, i'd like at least to locate documentation dealing with the file structure of WireShark's capture files ... my goal is not to recreate WireShark ... rather, i simply want, in a timely fashion, to analyze the data already captured yesterday.

(24 May '14, 09:58) gerryLowry

There's nothing directly for using Wireshark from C#, it 's a native C application so you can use PInvoke to call it, but note that libwireshark isn't particularly designed for external use.

There is Pcap.Net which is mainly for working with Pcap files but it does have some packet dissection.

I think you would get results quicker, i.e. with less effort, using tshark to process the pcaps and then either use C# or a script language such as PowerShell to process the text output from tshark.

Note that tshark can already provide some of the analysis you are after, have a look at the -z,conv,... option

Edit: Fixed link to tshark man page.

permanent link

answered 24 May '14, 14:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 28 May '14, 14:22

grahamb, much appreciated food for thought, BTW, your tshark link also points to Pcap.Net. FWIW, given that i may have to analyze more files in the future, my hope was to be able to automate the process; i've always dealt with WireShark files manually but that is really time consuming ... tshark link looks like it is well worth some of my limited time to check out thoroughly.

(25 May '14, 08:24) gerryLowry

tshark batch file looks useful for creating .csv that [i hope] would be relatively easy to analyze programmatically and thus eliminate my need for a c# API.

(25 May '14, 08:41) gerryLowry

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(25 May '14, 12:04) Kurt Knochner ♦

@Kurt ... FWIW, i will accept grahamb's answer when i'm certain it's correct as it most likely is ... at the moment, i'm hoping that someone may be aware of something that grahamb might not have yet discovered ... the challenge with programming is that there is so much to know and so little time ... i've been programming since 1967 and still feel that i'm mostly ignorant about what's available; Kurt, i do appreciate your hint ... far too many questions with answers do get orphaned.

(28 May '14, 13:46) gerryLowry
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×100
×14
×12
×12

question asked: 24 May '14, 09:17

question was seen: 4,461 times

last updated: 28 May '14, 14:22

p​o​w​e​r​e​d by O​S​Q​A