This is our old Q&A Site. Please post any new questions and answers at

I want to use methods in tshark in my program. So I want to build tshark as a library. How can I do this?

Thank you for anyone's help in advance.

more detalis:
1.I'm making a test result analysis tool to deal with *.pcap files. This tool will first get the data chunk above TCP layer from pcap files and then do some analysis. So I need to use tshark function to peel the data by different layers.
2.I'm using GNU autotools building the whole wireshark source project.
3.I've tried to make some changes in and automake and configure and make. And I got libtshark.a. The problem is some of the functions in tshark can not be seen from "nm libtshark.a| grep XXX", which means my tool cannot use it. There must be something wrong when I made the libtshark.a. I did it like this:

a.I changed main() in tshark.c to tshark()
b.I removed "tshark" from bin_PROGRAMS and EXTRA_PROGRAMS in
c.I added "lib_LIBRARIES = libtshark.a" in
d.I added "libtshark_a_SOURCES = $(tshark_SOURCES)" in Makefile.common
e.I added "libtshark_a_LIBADD = " in

asked 24 Jun '15, 02:46

David%20Zhou's gravatar image

David Zhou
accept rate: 0%

edited 25 Jun '15, 19:58

Do you actually mean tshark, or the wireshark dissection engine in libwireshark or the capture file reading\writing tools in libwiretap?

The tshark executable basically parses command line options and then calls into libwireshark\libwiretap as required.

(24 Jun '15, 08:34) grahamb ♦

@grahamb, Thank you for your reply. yes, I mean tshark. I know tshark implement some methods like "process_packet()" to deal with *.pcap files, spliting ethernet layer/IP layer/TCP layer, etc. And I know these methods in tshark are based on some interfaces from libwireshark and libwiretap.

So I need to use the functions in tshark in my program and I'm trying to make tshark as a shared library. Could you please help me on this? Thank you.

(24 Jun '15, 19:18) David Zhou

To make tshark a library you'll have to hack whatever build system you're using, e.g. autotools, CMake or nmake.

However I still question the usefulness of this. A library is a collection of functions that allows library users to achieve some result. tshark doesn't have any of this, its a command line parser that then calls the real libraries, libwireshark and libwiretap to do some work.

I think you should reconsider either using tshark as a spawned process, providing it the required command line options to do what you want and parsing the output, or use libwireshark and libwiretap directly, which isn't very easy at all as they're not designed to be general purpose libraries.

You also haven't indicated exactly what you wish to achieve, if you do that we may be able to suggest a better approach.

permanent link

answered 25 Jun '15, 09:15

grahamb's gravatar image

grahamb ♦
accept rate: 22%

To make tshark a library you'll have to hack whatever build system you're using, e.g. autotools, CMake or nmake.

...and hack the code as well. It was written to be a program, not a library.

(25 Jun '15, 13:14) Guy Harris ♦♦

@grahamb, Thank you for the information. I've provided more details, appending to my question. Please check that. I appreciate your help. Thank you.

(25 Jun '15, 19:46) David Zhou

@David Zhou

a.I changed main() in tshark.c to tshark()

Are you aware that tshark is a console application printing to STDOUT? It's by far not enough to rename main() to get a library. Large parts of the code structure would have to be changed for that.

Why don't you call the tshark binary from your code (execve) and parse the output. Way less trouble for you. Plus, you would have to do the parsing part anyway, even if you (somehow) manage to press the tshark functionality into a library, because tshark would then still do the same as the console application, outputting a text representation of the dissected frames.

(26 Jun '15, 00:04) Kurt Knochner ♦

@Kurt Knochner, Thank you for your attention.

To execute tshark from my program as a spawn process is an option that I've already considered and abandoned. In this case, If the pcap file is extremely large(big chance), the spawn process will last a long time without output in STDOUT and my father program has no idea what's going on. This will lead to chaos.

I've also hacked tshark. I made some changes based on tshark code and now, when I run command "tshark -r xxx.pcap", nothing will be output on STDOUT but it will do some test analysis on dissected frames.
At this point, If I made this tshark a library, my program could get the layers' data directly from functions, not STDOUT, and do stuffs.

So if you have more information on how to generate, I appreciate it you could share with me. Thank you.

(26 Jun '15, 01:57) David Zhou

After weeks of torture, I've made for my tool and they work well together. Here I share the process for people wanting tshark library.


 1. this is based on wireshark-1.7 source code
 2. I used autotools system(automake, autoconf...)
 3. I did it by making necessary changes in existing wireshark source autotool files.
 4. there are still some redundancy functionality that could be excluded from the build. I just made it with the minimum modifications.



1.modify: main() => tshark()


1.add "lib_LTLIBRARIES ="
2.remove "@[email protected]" from bin_PROGRAMS
3.remove "tshark" from EXTRA_PROGRAMS
4.modify wireshark_LDADD
ui/gtk/libgtkui.a => ui/gtk/
ui/gtk/libgtkui_dirty.a => ui/gtk/
ui/libui.a => ui/
5.modify "if ENABLE_STATIC" macro
libtshark_LDFLAGS = -Wl, -static -all-static
libtshark_LDFLAGS = -export-dynamic
6.add libtshark.a and to CLEANFILES 7.add libtshark_la_LIBADD like this
libtshark_la_LIBADD =   \
    ui/         \
    ui/cli/          \
    ui/gtk/          \
    wiretap/       \
    epan/        \
    wsutil/     \
    @[email protected]          \
    $(plugin_ldadd)         \
    @[email protected] -lm         \
    @[email protected]         \
    @[email protected]           \
    @[email protected]          \
    @[email protected]           \
    @[email protected]         \
    @[email protected]         \
    @[email protected]   \
    @[email protected]           \
    @[email protected]        \
    @[email protected]        \
    @[email protected]        \


1.add libtshark_la_SOURCES like this
libtshark_la_SOURCES =  \
    airpcap_loader.c \
    capture_info.c  \
    color_filters.c \
    fileset.c   \
    filters.c   \
    g711.c \
    merge.c \
    proto_hier_stats.c  \
    recent.c    \
    summary.c   \
    u3.c        \
    capture_opts.c      \
    tempfile.c      \


1.modify: noinst_LIBRARIES = libui.a => lib_LTLIBRARIES =
3.modify: libui_a_SOURCES => libui_la_SOURCES
4.modify: libui_a_CFLAGS => libui_la_CFLAGS
5.modify: libui_a_DEPENDENCIES => libui_la_DEPENDENCIES


1.modify: noinst_LIBRARIES = libcliui.a => lib_LTLIBRARIES =
3.modify: libcliui_a_SOURCES => libcliui_la_SOURCES
4.modify: libcliui_a_CFLAGS => libcliui_la_CFLAGS
5.modify: libcliui_a_DEPENCENCIES => libcliui_la_DEPENCENCIES


1.modify: noinst_LIBRARIES = libgtkui.a libgtkui_dirty.a => lib_LTLIBRARIES =
2.add and to CLEANFILES
3.modify: libgtkui_a_SOURCES => libgtkui_la_SOURCES
4.modify: libgtkui_a_CFLAS => libgtkui_la_CFLAGS
5.add libgtkui_la_LIBADD = -lglib-2.0 -lgobject-2.0 -lgtk-x11-2.0
6.modify: libgtkui_a_DEPENDENCIES => libgtkui_la_DEPENCENCIES
7.modify: libgtkui_dirty_a_SOURCES => libgtkui_dirty_la_SOURCES
8.modify: libgtkui_dirty_a_DEPENCENCIES => libgtkui_dirty_la_DEPENCENCIES


1.add ../../file.c and ../../capture.c to WIRESHARK_GTK_SRC

automake under ./

#./configure --disable-dftest --disable-rawshark

#make (after this,you have your

to use it up, you need to do more.

1.declare tshark() function in your program, as a entry to use You may create a header file called tshark.h in your project and declare like this:
'#ifdef __cplusplus
extern "C" {

int tshark(int argc, char *argv[]);

'#ifdef __cplusplus } '#endif

remember to copy this header file under your libtshark directory before you build it. to your program tshark function like this, for example:

char arg_self = "/data/home/davidcyzhou/workspace/test/Debug/test";
char r_symbol = "-r";
char r_option = "/data/home/davidcyzhou/xxxx.pcap";
char V_symbol = "-V";
char* args[4] = { arg_self, V_symbol, r_symbol, r_option };

tshark(4, args);

4.when you build your program with, there might be some undefined reference err when it went with link command. Just comment related lines in your libtshark codes and rebuild. 5.before you execute your program, make sure your LD_LIBRARY_PATH have the path to the 6.Now you should see your program can output like tshark does.

After all above, you can do your business with, like if you want to get the contents above TCP layer in each packets and replay them, just save the contents in a linked-list where it prints the protocol tree in tshark and return the list back to your program. Then you can do your replay logic in your program.

I will be happy if this help anyone else. If you have trouble with the process, please send me email:[email protected]

permanent link

answered 07 Jul '15, 06:23

David%20Zhou's gravatar image

David Zhou
accept rate: 0%

edited 07 Jul '15, 06:27

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 24 Jun '15, 02:46

question was seen: 2,619 times

last updated: 07 Jul '15, 06:27

p​o​w​e​r​e​d by O​S​Q​A