I have currently created a GUI for a module I am working on which is in the qt/ui project - Is there a way to listen to the packets which are being dissected and get the proto-tree for the ones I want? Would this be a job for a post-dissector or a listener? Any help would be appreciated! Thanks in advance! ModuleMan asked 31 Jan '17, 11:45 ModuleMan |
One Answer:
Ah - this answers the question I just asked on your other post. If you need access to all protocols in the stack, post-dissector is the right way to go. If you plan to insert your dissector at a particular point in the protocol stack (i.e. a standard dissector and not a post-dissector) then it will see all protocols before it in the dissector list, but not those that come after. Wireshark scans a trace file twice and, by default, it only produces a protocol tree on the second scan. You post dissector can check for the second scan like this:
You can force the production of a protocol tree during the first scan by registering a fake tap. See the function init_globals(void) in packet-transum.c of the transum project. You'll find transum in the git master branch. A tap like this has a small performance impact. You probably need to use the Wireshark Development mailing list for anything more detailed. Some very clever people hang out on this list. Best regards...Paul answered 31 Jan '17, 14:42 PaulOfford edited 31 Jan '17, 14:44 showing 5 of 9 show 4 more comments |
How would I include this code in my GUI - I dont have pinfo or any of the other parameters for the function you described so I am confused as to how I would go about going from my conversation item(conv_item_t), I mentioned in my other post's comment to creating this function.
Thanks you for your response!
PS. I have emailed on the development mailing list but no one has got back to me as of yet
More accurately, Wireshark will probably dissect at least some packets more than once and is not guaranteed to produce, or not to produce, a protocol tree on any of those dissections. Make as few assumptions as possible about 1) how many times packets are dissected or 2) whether the tree argument will be null in any of those dissections.
The only safe assumption is that, when the file is read, every packet will be dissected, in order, and
PINFO_FD_VISITED(pinfo)
will be false in that pass and true in all other dissections - at least until a "redissect" pass is made, at which point another pass is made over the file, dissecting each packet, in order, withPINFO_FD_VISITED(pinfo)
being false and true in dissections after that (until the next "redissect" pass).A "redissect" pass is performed if, for example, a protocol preference is changed, as that could affect the results of dissection of packets - and the results of the dissection of a packet for the protocol whose preference is changed could affect the results of the dissection of a packet that doesn't include that protocol, so no simple optimization is possible there.
@Guy Harris: Would it be easier to integrate lua and run wslua scripts in my c++ and work from there? If so how would I do it? Of course that is if this method is not recommended.
Guy, Thanks for the clarification. I hadn't realised the decision to generate a protocol tree is so complex. It may explain why I can't get TRANSUM to work with Tshark.
ModuleMan, I think we need to understand what you are trying to achieve. If I were to use your module (when it's finished), what would it give me?
Best regards...Paul
@PaulOfford: using -2 parameter should help you having TRANSUM working with TShark
Hi Pascal, Yeh that's a nice idea but unfortunately it doesn't fix it - I always run tshark and transum with that parameter. I'll raise a Bugzilla report.
@PaulOfford : I am basically making a web browser agnostic developers tools (similar to chrome an firefox). When a user opens my module from the analyse menu of Wireshark a dialog box will appear which will show all the active TCP connections (in a similar to the way the Conversations Dialog works) on that network interface.
From there they will be able to right click one of the conversations and click an analyse option which I have created. This will open another dialog box which will show all the packets within that conversation (through the use of a listener or post dissector) and will be able to see the proto-tree for each of those packets in a pop-out dialog / another GUI section.
Where "active" presumably means either "have traffic in the capture" or "have traffic, but no final FIN, in the capture".
@ModuleMan: Unfortunately I don't have experience writing anything that directly manipulates the UI. The LUA API provides functions to generate sub windows - see https://wiki.wireshark.org/LuaAPI/GUI
It would be worth checking if there is an equivalent for C dissectors. Producing all your code as a dissector/plugin would be better as changing the ui/qt code sounds like it could lead to a lot of maintenance work.