I'm wondering, if possible, what the best way would be to get a realtime stream of statistics info (eg endpoint info) from wireshark? Perhaps via LUA or ??? asked 29 Mar '15, 19:24  canadaDry |
One Answer:
In that case, Wireshark is the wrong tool for you. It is a network troubleshooting tool and it was not designed for real time and long term analysis. See my answer to similar questions and the tips and links therein.
Regards answered 30 Mar '15, 07:58  Kurt Knochner ♦ Thank you for your assistance and patience Kurt! A related query then... would it be possible to use LUA (or ??) to grab a snapshot of the internal endpoint data that wireshark has accumulated? Does wireshark make it possible to access whatever internal array/table that is used for its statistics? (30 Mar '15, 08:31) canadaDry There is no exposed API (I believe no way at all) to trigger any statistics while Wireshark is running and there is no way to access the output of any statistics in memory (or similar). So that won't help you either for your realtime and longterm monitoring. Furthermore, there is no "exposed" API to access the internal data structures in a way you would need it. I know the dissector functionality of Wireshark is inviting (we've had quite a few of these discussions here), but I have to repeat myself: Wireshark is the wrong tool for such a scenario. If you run it for a long time (hours, days - depends on the amount of traffic) it will run into a out-of-memory problem, as Wireshark needs to keep track of some information and this will eventually eat up all available memory. As I said, it was not designed to work in that mode/way. See:
(30 Mar '15, 08:51) Kurt Knochner ♦ |
can you please be more specific, maybe with an example?
I'd like to let Wireshark do all the tabulation work for all the endpoint stats (eg. bytes rx/tx per endpoint) but somehow get at that data in realtime by my own program (eg. python+pandas if at all possible) to track and monitor activity to/from endpoints over time. With the goal of my program being able to analyze and detect abnormal traffic patterns based on historical data.
Being able to hook into wireshark's data would presumably save having to reinvent the wheel.
Does that make any sense?