This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Custom Development Question

0

Sorry about the newbie question - but I am trying get a handle on the power of Wire Shark. I am wondering if it is possible to create a custom user interface for Wire Shark, where as a user wouldn't need to interact with it directly? If so, are there any tutorials and other resources I can use to investigate this further?

Thank you in advance!

asked 20 Jun '14, 15:37

JGo's gravatar image

JGo
11112
accept rate: 0%

1

Well, the whole point of the Wireshark application is to be interacted with by a user.

However, the core dissection capability of Wireshark is in a library. That library is used both by the Wireshark GUI application and the TShark command-line application, and could be used by other programs - but be aware that the API for that library is not fixed and is subject to significant, incompatible change between major releases of Wireshark.

What sort of custom interface are you thinking of here?

(20 Jun '14, 17:18) Guy Harris ♦♦

The UI that I am being asked to develop is meant to take events that occur in Wire Shark and present them in a non-technical manner for non-technical users. My hope is that by using Wireshark I can find events that occur on the network and then create a front-end that would present those events using plain English. Maybe the best way to illustrate this is with a small use case. Pretend that Wireshark identified a network pattern that indicated a threat/event of some sort; the idea would be to then make my application aware of that threat and my application would translate the event into a workflow that was relevant and presented in a UI that assumed no knowledge of networks or the underlying technologies. The net of it is that I would like to use Wireshark as my backend engine, so that I don't have to recreate all the amazingly great things it does. I have been thinking of maybe using WinPCap as an alternative if I can't use WireShark, but am not that familiar with it and have to believe that Wireshark is more advanced overall, given the WinPCap is just a networking library. The warning you give about the stability of the Wireshark library, changing between releases though is a little vexing, but still might be viable if we can track the changes and deal with them in our releases...obviously not ideal. If there are other alternatives or approaches I would be happy to hear about them...thanks for taking the time to post the reply above...truly appreciated.

(20 Jun '14, 17:59) JGo

2 Answers:

1

My hope is that by using Wireshark I can find events that occur on the network and then create a front-end that would present those events using plain English.

that sounds more like an IDS (intrusion detection system) than a network troubleshooting tool (Wireshark). If that is the case, Wireshark is probably not the best tool for you. Wireshark was developed as a tool to do network troubleshooting by looking at frames. It supports that process by the huge number of protocol dissectors, which makes if also interesting as a tool for network security. However some internals have been created with a 'manual' troubleshooting tool in mind, so it's possible use as an IDS are kind of limited.

So, your options are:

Regards
Kurt

answered 21 Jun '14, 16:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

Currently, Wireshark doesn't have a lot of code to identify network patterns.

It has a framework, the "expert info" mechanism, into which code to identify network patterns could be plugged.

What you'd do, if you'd developed a sufficiently rich set of "expert info" code and added it to Wireshark, would be to make a UI for libwireshark that, unlike the Wireshark UI for libwireshark, read a capture, extracted the expert info, and somehow presented that to the user.

It sounds as if there'd be a lot of work in the "somehow presented that to the user" part, however, if the goal is to present this information to someone with "no knowledge of networks or the underlying technologies".

And, yes, WinPcap isn't much of an alternative; libpcap/WinPcap are what Wireshark uses to capture traffic, but all it gets from them is raw packet data - libwireshark dissects the raw packet data it gets from libpcap/WinPcap.

answered 20 Jun '14, 18:21

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you again for the great feedback and guidance. I think I am going to download Wireshark and spend some time getting to know it and make sure it ultimately the right tool to solve the problem I am trying to tackle. After that I'll start playing with the libraries you mention and see if it works for what we are trying to develop. Sorry for the cryptic examples of what we are building but I am barred from revealing too much in this forum. Truly appreciate your help and if I can repay the favor please feel free to reach out directly at [email protected]

(20 Jun '14, 18:59) JGo
1

You should also note that the Wireshark suite is distributed under GPL 2. Linking to libwireshark would make a combined work and if you distribute it outside of your company then you must make the source code of the combined work available.

(21 Jun '14, 11:44) grahamb ♦

...and must not restrict the redistribution of the combined work by its recipients. (I.e., the combined work can't be sold under a "you can't give this away and you can't reverse-engineer it" license.)

(21 Jun '14, 11:48) Guy Harris ♦♦