Hi, I've been searching for a way to do the following with no avail. I was hoping someone here could point me in the right direction. The problem is this: I have a ton of wireshark traces containing varying amount of ISCSI packets. I need to parse out the command being sent by the initiator (in bytes) and write it to a file for each packet. I was originally going to do this manually, as it is easily viewable inside the wireshark application (see SS below), but some of these traces are huge (1-2 Gb), and it would take forever to do by hand. To further clarify, what I need is this:
I've been looking into tshark and rawshark documentation, but I'm not sure either is able to get me what I need. A friend suggested using libpcap to parse the traces myself, but from what I can tell I'd need to find some way to identify the bytes I need to pull out of each packet. Ideally I'd like to use something that recognizes it for me (ie wireshark's ISCSI dissector). Can anyone point me in the right direction? I need some way to parse out these commands from each ISCSI packet without looking through the raw packet data and trying to identify which bytes I need. As a note - It's not always the last 16 bytes in the packet as shown above, so I can't just go through and take the last 16 bytes. Any insight would be much appreciated, thanks! asked 07 Sep '11, 19:11  trousers |
One Answer:
What you're looking for requires some programming. It can be accomplished by creating a so called tap, see doc/README.tapping. It basically allows the iSCSI dissector to do it's thing, identify the relevant packets for you, and send certain data out to the tap. The tap listener can collect this data and save it to a file. A similar thing is done when you go to the menu option File|Export, there you have implementations of this model for HTTP, SMB, DICOM, etc. Have a look at there source code. Another path could be through the use of LUA, but I'm not familiar with that. answered 07 Sep '11, 22:13  Jaap ♦ |
