Access TCP analysis in tap listener

Question

I am trying to write a tap for TCP with access to Wireshark's analysis (such as which frame the current packet is acknowledging.

It seems relatively straight forward to do this in Lua with something like:

acksframe = Field.new("tcp.analysis.acks_frame")
ack = acksframe()

However I have not worked out how to do this in a tap written in C/C++.

From what I understand, I have access to the following information in a TCP tap:

packet_info: generic packet information
epan_dissect: overall structure of the packet (layers and pointers to corresponding data)
tcpheader: the fields of the TCP header

None of these seems to have the TCP analysis information available in the Lua tap. tcpheader contains the basics such as seq and ack fields, however I am hoping to leverage Wireshark's analysis rather than trying to re-implement this myself.

How can I access Wireshark's TCP analysis from a tap listener written in C?

Answer 1

In order to access these fields you must ask for them by creating a tap filter when calling register_tap_listener.

For example, to ask for tcp.analysis.acks_frame, you would set up a filter such as:

"frame || tcp.analysis.acks_frame"

which you would pass as the 3rd argument to register_tap_listener.

If the tap is registered with the filter, the data can be found in the protocol tree provided in the epan_dissect_t pointer passed as the 3rd argument to your packet callback.

Note that this requires you to have a filter (performance hit) even if you are willing to receive all packets. There may be a better way where you can request that those fields are filled, without having to filter packets, but I am not aware of it.