This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

are there c# API’s to process a directory of many WireShark capture files programmatically?

0

Scenario:

my dedicated web server gets little traffic daily which is not surprising because there is little to offer, for example, in the last 20 minutes, there was approximately 0.001% of its monthly included bandwidth usage quota.

monthly, my bandwidth usage rarely exceeds 10%, however, yesterday, May 23rd, there was over 1% (11.8 GB) in just over 15 hours.

i launched WireShark and set it to save a new capture file every 10MB or 10 minutes ... most of the captured files were 10MB; in about 92 minutes WireShark saved 140 10MB capture files.

analyzing these files manually will take me a very long time ...

QUESTION

are there c# API's that i can use to code a programmatic solution?

types of analysis that i'd like to code include number of times a given ip address occurred, ranked by most frequent to least frequent, protocol distribution, ip with protocol, source bytes, destination bytes, et cetera.

Thank you. Gerry

asked 24 May '14, 09:17

gerryLowry's gravatar image

gerryLowry
11113
accept rate: 0%

edited 24 May '14, 09:19

my searches missed this: http://ask.wireshark.org/questions/10923/using-wireshark-libraries-in-c and another link that points to it. what i hope for is an simple c# API that already wraps libwireshark.dll and/or avoids complexity ... if libwireshark.dll is the only way, i'd like at least to locate documentation dealing with the file structure of WireShark's capture files ... my goal is not to recreate WireShark ... rather, i simply want, in a timely fashion, to analyze the data already captured yesterday.

(24 May '14, 09:58) gerryLowry

One Answer:

1

There's nothing directly for using Wireshark from C#, it 's a native C application so you can use PInvoke to call it, but note that libwireshark isn't particularly designed for external use.

There is Pcap.Net which is mainly for working with Pcap files but it does have some packet dissection.

I think you would get results quicker, i.e. with less effort, using tshark to process the pcaps and then either use C# or a script language such as PowerShell to process the text output from tshark.

Note that tshark can already provide some of the analysis you are after, have a look at the -z,conv,... option

Edit: Fixed link to tshark man page.

answered 24 May '14, 14:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 28 May '14, 14:22

grahamb, much appreciated food for thought, BTW, your tshark link also points to Pcap.Net. FWIW, given that i may have to analyze more files in the future, my hope was to be able to automate the process; i've always dealt with WireShark files manually but that is really time consuming ... tshark link looks like it is well worth some of my limited time to check out thoroughly.

(25 May '14, 08:24) gerryLowry

tshark batch file looks useful for creating .csv that [i hope] would be relatively easy to analyze programmatically and thus eliminate my need for a c# API.

(25 May '14, 08:41) gerryLowry

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(25 May '14, 12:04) Kurt Knochner ♦

@Kurt ... FWIW, i will accept grahamb's answer when i'm certain it's correct as it most likely is ... at the moment, i'm hoping that someone may be aware of something that grahamb might not have yet discovered ... the challenge with programming is that there is so much to know and so little time ... i've been programming since 1967 and still feel that i'm mostly ignorant about what's available; Kurt, i do appreciate your hint ... far too many questions with answers do get orphaned.

(28 May '14, 13:46) gerryLowry