This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

library for display filters

0

I am implementing dissector for sip and rtp protocols. I have search a lot on libpcap and wireshark support for filtering sip traffic.

Currently, I am using tshark process to execute display filters to capture sip traffic based on some sip header values (eg. call-id).

I want to use this feature as a library to integrate with my module. Let me know if this is possible to do by compiling any source as library.

asked 10 Jun '14, 18:20

creativeDrive's gravatar image

creativeDrive
1112
accept rate: 0%

I am implementing dissector for sip and rtp protocols.
I want to use this feature as a library to integrate with my module.

If you say module do you mean your dissector?

If so, is your question how to use display filters in the code of your dissector?

(12 Jun '14, 05:25) Kurt Knochner ♦

Well, currently I am reading existing pcap which dumps all IP packets (because I need all of them in general) and filter through using tshark command (tshark -r <input.pcap> -w <output.pcap> 'sip.Call-Id == "xxxxx"').

As Sip display filters are already available (http://www.wireshark.org/docs/dfref/s/sip.html) I would like to use them as an API with my code to filter out interested traffic. This is kind of 2 pass filter.

But, it would be help if I can apply the display filter while capturing live traffic.

(12 Jun '14, 11:03) creativeDrive

One Answer:

1

O.K. according to your comment, it sounds to me, like you want to create your own version of Wireshark/tshark, limited to SIP/RTP and that you intend to use display filters during the capturing process.

Well, then the answer is: There is no 'official' library that's easy to use, because behind the scenes of display filters you will find the whole dissection engine of Wireshark. Yes, you can use that functionality (libwireshark) in your own code, but no it's not simply linking the library against your code.

Please read the following answer:

http://stackoverflow.com/questions/10308127/using-libwireshark-to-get-wireshark-functionality-programatically

Then, if you still think you need that, take a look at projects using libwireshark and learn from their example.

https://www.altamiracorp.com/blog/employee-posts/how-to-use-libwireshark-to-dis
https://github.com/joeferner/node-shark
http://wirepy.readthedocs.org/
https://github.com/armenb/sharktools
http://netexpect.org/wiki

Regards
Kurt

answered 12 Jun '14, 11:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt for giving me pointers in right direction. I need to explore more as per my requirement.

(12 Jun '14, 12:09) creativeDrive