This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“Go to packet” via an API

0

Hi,

We are working on a proof of concept that includes a facility to remotely interact with Wireshark. We want to start with one simple function; sending a command to an instance of Wireshark to tell it to jump to a particular packet number. So basically we want to programatically call the "Go to packet" function.

We want this functionality to be implemented through a plugin rather than change any Wireshark code. So the idea is to write a post-dissector (in C) whose registration function spins up a TCP-based service on a new thread that listens on a port for an incoming external command (in this case a "Go to packet" command) and then actions the command.

For this proof of concept we just need this to work with Wireshark v2 (i.e. Qt) and Windows.

I'll get to the point. Is there an API for C plugins that we can use to call the Go to packet function?

Alternatively, I've looked through the code at the UI interface and notice there is a callback function goto_frame_cb which I guess is called when the button is pressed in the Go to dialogue, but I also notice this is for GTK. Is there a Qt equivalent? Would this be a way to achieve what we are trying to achieve?

Am I being stupid by not realising that this functionality already exists?

Any advice would be much appreciated.

Thanks and regards...Paul

asked 31 Oct '15, 06:24

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

Did you try calling wireshark.exe with the -g parameter? It jumps to the packet number that you specify on start.

But I guess you want to interactively jump to packets in already opened instances of Wireshark?

(31 Oct '15, 10:12) Jasper ♦♦

Paul, what's the purpose of doing that within the running GUI application? If we understand your needs, we might come up with other ideas as well.

(31 Oct '15, 15:39) Kurt Knochner ♦

Hi Jasper, You're right - We need to move the current position within an already loaded Wireshark instance.

Hi Kurt, There's not much more to tell. We want an external application that we have written to be able to move the current packet position within a trace already loaded into Wireshark.

Thanks and regards...Paul

(01 Nov '15, 01:34) PaulOfford

3 Answers:

2

Hi Paul,

did you have a look at the PluginIF work done by Roland Knall and that is part of the upcoming Wireshark 2.0? From what I understand it allows you to develop a plugin menu and the "Go to frame" case is part of the API.

answered 05 Nov '15, 08:59

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

That is a great call Pascal. That looks to be exactly what I want. I followed your PluginIF link but I can't find any documentation, or even a brief description. I've looked at the code and I think I can see how I could use it but some doc would be good.

(05 Nov '15, 10:21) PaulOfford

1

Hi Kurt, There's not much more to tell. We want an external application that we have written to be able to move the current packet position within a trace already loaded into Wireshark.

well, then maybe the easiest way would be to use a GUI automation tool like AutoIT or AutoHotKey. I've worked quite a lot with AutoIT to automate several things on Windows, however not yet anything for Wireshark.

Idea:

  1. Get the focus of the GUI window you're after (see tool docs)
  2. Let the tool send 'CTRL-g' to the window
  3. Let the tool send the line number and \<ENTER>

Maybe you can find some examples in the forums of these tools.

https://www.autoitscript.com/forum/
http://www.autohotkey.com/boards/

Regards
Kurt

answered 02 Nov '15, 04:17

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 Nov '15, 04:18

0

Is there an API for C plugins that we can use to call the Go to packet function?

There will probably never be one for use in dissectors, as they might not be invoked from within a program with a GUI.

For use in GUI plugins, you can call cf_goto_frame(); the first argument is a capture_file *cf, and the second argument is a guint which is the frame number (starting with 1). Unfortunately, finding the appropriate capture_file *cf is a bit of work in the Qt code.

(That could be found by looking at goto_frame_cb(), noticing that it creates the dialog rather than actually going to the frame and that the "Ok" button calls goto_frame_ok_cb(), looking at goto_frame_ok_cb() and noticing that, after it validates the frame number typed into the dialog, it calls cf_goto_frame() and, if that succeeds, dismisses the "go to" dialog.)

answered 31 Oct '15, 11:18

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 05 Nov '15, 05:57

grahamb's gravatar image

grahamb ♦
19.8k330206

Thanks Guy, I'll look into this.

(01 Nov '15, 01:35) PaulOfford

I have used VS to trace what happens when you enter a frame number and click on go. The stack shows a load of QT stuff, then:

Wireshark.exe!MainWindow::gotoFrame(int packet_num) Line 3463   C++
Wireshark.exe!MainWindow::on_goToGo_clicked() Line 3306 C++
Wireshark.exe!MainWindow::qt_static_metacall(QObject * _o,  QMetaObject::Call _c, int _id, void * * _a) Line 1515   C++
Wireshark.exe!MainWindow::qt_metacall(QMetaObject::Call _c, int _id, void * * _a) Line 1708 C++
Qt5Cored.dll!000000006711a724() Unknown
.
.

The code looks like this:

void MainWindow::gotoFrame(int packet_num)
{
    if ( packet_num > 0 )
    {
        packet_list_->goToPacket(packet_num);
    }
}

packet_list_ is a type PacketList and instantiated in the MainWindow class. And the MainWindow it's using has a global pointer gbl_cur_main_window.

So my theory is that in the plugin dissector I need to get a copy of the packet_list_ pointer and call goToPacket:

PacketList *my_packet_list_ = gbl_cur_main_window.packet_list;

my_packet_list_->goToPacket(55);

Does that seem feasible?

Thanks and regards…Paul

(05 Nov ‘15, 05:52) PaulOfford