Hi I am trying to find the packet filled file(which libpcap format packet finally dumped for wiretap) from where wiretap is taking and giving to wireshark but didint found, can you guys help me to find out but didnt find it,can you guys help me to get me out. I found the wtap_open_offline(where wiretap is opening the file and doing some wiretap reading ops).But not able to find the file. Thanks, Karun. asked 27 May '15, 06:36  karun256 edited 27 May '15, 06:43 |
2 Answers:
libpcap.c for libpcap files and pcapng.c for pcap-ng files answered 27 May '15, 08:33  Anders ♦ showing 5 of 8 show 3 more comments |
Your understanding is wrong. Dumpcap uses libpcap to capture packets, meaning that the packets are read from the network interface by libpcap and handed to dumpcap, Those packets are in binary form, not text form. Dumpcap then writes the packets to a pcap or pcap-ng file, in binary format; it's all binary, so text2pcap is not involved at all. It writes them out using Wireshark's own code, not libpcap/WinPcap (which currently can't write pcap-ng files). That code is in pcapio.c Wireshark (or TShark) then reads from the same file, using Wiretap. So it's more like Network interface --->dumpcap--->pcapio.c--->{the capture file}--->wiretap--->Wireshark text2pcap is a separate program, which is used to turn ASCII hex dump files, which usually come from sources other than Wireshark, into pcap files. It is not at all involved in the packet capture process.
It reads capture files and prints some summary data for it.
The program that runs it, whether it's the command-line interpreter (shell, cmd.exe, whatever) or some other program. It's no different from any other C program in that regard; you are familiar with how UN*X and Windows command-line programs are written in C, right? If not, you're going to have difficulty understanding the code in Wireshark programs that processes argc and argv, so you should probably make sure you're familiar with that before doing any more work on this. answered 31 May '15, 14:30  Guy Harris ♦♦ Thanks Harris,you kept me in write path.Dumpcap then writes the packets to a pcap or pcap-ng file?. Where is this file? whats the name? Network interface --->dumpcap--->pcapio.c--->{the capture file}--->wiretap--->Wireshark In above scenario where i can find the capture file. Once capture file is created capinfos.c reads it and print some summary data for it right? then its followed by wireshark reading that file using wiretap and make it display to end user right? Once every thing is ready How & where wiretap is using that file meaning that Can you give me the clear idea(file names will be more appreciated with functionalities) about capture file to wiretap & to wireshark(end user display). (31 May '15, 21:55) karun256 Thanks for your patience answering. Actually i want to create one packet(By some application) inorder to display in wireshark with out having any n/w device.can you suggest me best method to do that?. My plan is like to prepare my packet in specified(winpcap) format by using functions of pcapio.c and prepare one capture file then wireshark reads that packet using wiretap to display is it ok? ***I am working on windows platform** (31 May '15, 22:01) karun256 As I mentioned earlier, I think extcap is the solution for you. It allows non-network devices to pass data into Wireshark for dissection and display. (01 Jun '15, 01:54) grahamb ♦
Use WinPcap. Have your application call
"WinPcap format" is pcap format; WinPcap will write out files in that format. libpcap/WinPcap was designed to be used as a library by applications; the pcapio.c code was written solely for use within Wireshark and really isn't designed for somebody else to use in their own program. (01 Jun '15, 12:13) Guy Harris ♦♦ Thanks Harris,I will try to follow your suggestion.I want to conform one thing,I had taken winpcap latest source code by going through the code from pcap_open_live i encountered probe function where i found PktReceive function(as mentioned below), in that copying actual data into buf from &head->destin,Where we are filling this destin?. PUBLIC int PktReceive (BYTE buf, int max) { WORD inOfs = rxInOfsFp; WORD outOfs = *rxOutOfsFp; } (02 Jun ‘15, 01:03) karun256 That’s a separate issue, and it’s probably best to ask questions about WinPcap’s internals on the WinPcap mailing list. I don’t have time to go through the entire packet capture code path in WinPcap, and that’s not relevant to what you’re trying to do in any case. (02 Jun ‘15, 12:37) Guy Harris ♦♦ showing 5 of 6 show 1 more comments |
Thanks Anders,in text2pcap.c we are preparing the libpcap format(Global header,Record header,data,Record header,data ...) right? In that line 1854 we are opening a file in read mode,from where we are getting this file to read and from where this argc & argv are coming(who is running this .c file with command line arguments).Actually i want to see that file by opening it.
Similarly in capinfos.c we are opening that file and preparing wtap structure by reading that file in function wtap_open_offline() in which first argument is file.I want to know where its taking that file
Actually i want to create packet to display on wireshark,so my plan is that i want to mimic my packet as it is like libpcap format and want to give to wiretap so that wiretap will display the packet in wireshark.So i want to see the packet that libpcap is preparing for wiretap.
Exactly i want to know where we are feeding this packet to wiretap.
Thanks, Karun.
This might be better to discuss on the dev mailing list rather tha on a Q&A site...
I think we need to understand what you are trying to do on a higer level to be able to asnswer your questions better.
What do you mean by this? Fire up wireshark from within your application and feed it the data? Create a pcap(ng) file and read that into wireshark afterwards? Perhaps you could feed the data to wireshak trough a pipe or have tshark deissect it and present the text output? Create a packet from what? If you are processing a log file with mixed text and packet hexdata you could perhaps write code to have Wireshark read the file directly.
Exactly i want to create packet from my application and feed the data inorder to display in wireshark.I had taken development release 1.99.5 for windows 7. My intension is to prepare my packet and keep it in winpcap format and feed it to wiretap(rest will take care by wiretap right?).
You should maybe look into extcap. That allows applications that aren't a "network interface" to send data to Wireshark.
Unfortunately extcap is very poorly documented at the moment. There should be a man page (extcap.html) for it in an installed copy of the dev release and an example application in source doc\extcap_example.py. There is als an older SharkFest presentation here.
If you need more info about extcap the best place to ask would be on the Wireshark developers mailing list.
Thanks grahamb, can you share me the developers mailing list.Actually is it possible as i discussed in my previous mail,will it works? other than extcap.
https://www.wireshark.org/lists/
Wireshark can read from pipes, so it might be possible for your application to create a pipe that Wireshark can read from, but there are difficulties in the Wireshark UI for selecting the pipe. This is what extcap is designed to overcome.
No, Wireshark uses wiretap to read from files as I understand your idea you need to invoke Wireshark to read your packet somehow or at least invoke the dissection engine from your program which may not de so easy as it's not designed to work that way.
Thanks Anders,Dumpcap.c is n/w traffic dump tool which will capture packets form real interface and keep it in some output file stream(ASCII hex form).text2pcap.c is the file which converts the ascii hex into winpcap(windows)/libpcap(Linux) format.wireshark uses wiretap to read the above prepared winpcap format file.correct me if my understanding is wrong.
wireshark<---wiretap<---libpcap/winpcap(text2pcap.c)<---dumpcap.c<---n/w intf.
Whats the functionality of capinfos.c and who is giving argv,argc to that file,as its using argc ,argv and preparing wtap structure.