This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dsiplaying Optional metadata along with captured packet data in PCAP NG file format

0

Hi,

I am inserting some metadata in Optional field of Evolved Packet Block in PCAP NG file format. I want wireshark to decode and display those metadata info along with captured protocol data. Is there any provion in wireshark to do this. Or if any modification is required in wireshark, how to proceed ??

Please help.

Thanks, Ambika

asked 30 Nov '11, 23:18

ambika's gravatar image

ambika
1223
accept rate: 0%

One Answer:

0

I presume you mean "Enhanced Packet Block" rather than "Evolved Packet Block"; there is no "Evolved Packet Block" in the pcap-NG specification, but there is an Enhanced Packet Block.

There is currently no support for reading that information in Wireshark. In order to add that capability, you'd have to modify the API offered by the Wiretap library (in the wiretap directory of the Wireshark source code) to provide that information to its callers, and then modify Wireshark and TShark to display that information. The decoding would probably be done in the packet-frame.c dissector file in the epan/dissectors subdirectory.

Further discussion of this should be done on the wireshark-dev mailing list.

answered 01 Dec '11, 18:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hey thanks. I have made changes in wiretap library to dump optional metadata separately to stdout for each captured packet by using Tshark. But still not sure how to pass that info to wireshark for display.

I will work on it and discuss on the wireshark-dev mailing list as you suggested.

~ ambika

(05 Dec '11, 21:47) ambika