subject:"\[Wireshark\-dev\] Adding pcap\-ng pipe support to dumpcap"

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-11-22 Thread Roland Knall

Thanks!

On Wed, Nov 22, 2017 at 9:52 PM, James Ko  wrote:

> Done.  https://code.wireshark.org/review/#/c/24536/
>
>
> Thanks,
>
> James
>
>
> --
> *From:* Wireshark-dev  on behalf of
> Graham Bloice 
> *Sent:* Wednesday, November 22, 2017 10:22
> *To:* Developer support list for Wireshark
> *Subject:* Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
>
>
>
> On 22 November 2017 at 18:13, James Ko  wrote:
>
> Attached is my patch to get this working (with caveats).
>
> To support this involved reading the the pcapng block header and parsing
> the just the section header block for endianess.  Then just rewrites the
> all blocks using the original/input endianess format to the pipe without
> looking much further at the block contents.
>
> It only supports one interface.  I don't fully understand how multiple
> interfaces are handled  but would probably require parsing the interface
> description blocks as well to get the linktype and snaplen to put in the
> interface table.
>
> I also did not implement the use_threads option for packet processing.
>
> There is #ifdef WIN32 bits but I don't know if any of that is correct as I
> didn't really touch it and did not even try to compile it.
>
> I hope this gets this feature moving along.
>
> Regards,
> James
>
>
>
>
> Please submit changes as per the Wiki page: https://wiki.wireshark.
> org/Development/SubmittingPatches
>
> --
> Graham Bloice
>
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-11-22 Thread James Ko

Done.  https://code.wireshark.org/review/#/c/24536/


Thanks,

James



From: Wireshark-dev  on behalf of Graham 
Bloice 
Sent: Wednesday, November 22, 2017 10:22
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap



On 22 November 2017 at 18:13, James Ko 
mailto:jim.l...@hotmail.com>> wrote:
Attached is my patch to get this working (with caveats).

To support this involved reading the the pcapng block header and parsing the 
just the section header block for endianess.  Then just rewrites the all blocks 
using the original/input endianess format to the pipe without looking much 
further at the block contents.

It only supports one interface.  I don't fully understand how multiple 
interfaces are handled  but would probably require parsing the interface 
description blocks as well to get the linktype and snaplen to put in the 
interface table.

I also did not implement the use_threads option for packet processing.

There is #ifdef WIN32 bits but I don't know if any of that is correct as I 
didn't really touch it and did not even try to compile it.

I hope this gets this feature moving along.

Regards,
James




Please submit changes as per the Wiki page: 
https://wiki.wireshark.org/Development/SubmittingPatches

--
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-11-22 Thread Graham Bloice

On 22 November 2017 at 18:13, James Ko  wrote:

> Attached is my patch to get this working (with caveats).
>
> To support this involved reading the the pcapng block header and parsing
> the just the section header block for endianess.  Then just rewrites the
> all blocks using the original/input endianess format to the pipe without
> looking much further at the block contents.
>
> It only supports one interface.  I don't fully understand how multiple
> interfaces are handled  but would probably require parsing the interface
> description blocks as well to get the linktype and snaplen to put in the
> interface table.
>
> I also did not implement the use_threads option for packet processing.
>
> There is #ifdef WIN32 bits but I don't know if any of that is correct as I
> didn't really touch it and did not even try to compile it.
>
> I hope this gets this feature moving along.
>
> Regards,
> James
>
>
>
>
Please submit changes as per the Wiki page:
https://wiki.wireshark.org/Development/SubmittingPatches

-- 
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-11-22 Thread Roland Knall

Sorry, that was meant to be gerrit. See https://code.wireshark.org/review/

cheers

On Wed, Nov 22, 2017 at 7:19 PM, Roland Knall  wrote:

> Hi
>
> Could you send this to gerri for review? It makes it a lot easier to
> integrate into master
>
> cheers
> Roland
>
> On Wed, Nov 22, 2017 at 7:13 PM, James Ko  wrote:
>
>> Attached is my patch to get this working (with caveats).
>>
>> To support this involved reading the the pcapng block header and parsing
>> the just the section header block for endianess.  Then just rewrites the
>> all blocks using the original/input endianess format to the pipe without
>> looking much further at the block contents.
>>
>> It only supports one interface.  I don't fully understand how multiple
>> interfaces are handled  but would probably require parsing the interface
>> description blocks as well to get the linktype and snaplen to put in the
>> interface table.
>>
>> I also did not implement the use_threads option for packet processing.
>>
>> There is #ifdef WIN32 bits but I don't know if any of that is correct as
>> I didn't really touch it and did not even try to compile it.
>>
>> I hope this gets this feature moving along.
>>
>> Regards,
>> James
>>
>>
>> 
>> ___
>> Sent via:Wireshark-dev mailing list 
>> Archives:https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>>  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscr
>> ibe
>>
>
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-11-22 Thread Roland Knall

Hi

Could you send this to gerri for review? It makes it a lot easier to
integrate into master

cheers
Roland

On Wed, Nov 22, 2017 at 7:13 PM, James Ko  wrote:

> Attached is my patch to get this working (with caveats).
>
> To support this involved reading the the pcapng block header and parsing
> the just the section header block for endianess.  Then just rewrites the
> all blocks using the original/input endianess format to the pipe without
> looking much further at the block contents.
>
> It only supports one interface.  I don't fully understand how multiple
> interfaces are handled  but would probably require parsing the interface
> description blocks as well to get the linktype and snaplen to put in the
> interface table.
>
> I also did not implement the use_threads option for packet processing.
>
> There is #ifdef WIN32 bits but I don't know if any of that is correct as I
> didn't really touch it and did not even try to compile it.
>
> I hope this gets this feature moving along.
>
> Regards,
> James
>
>
> 
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=
> unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-11-22 Thread James Ko

Attached is my patch to get this working (with caveats).

To support this involved reading the the pcapng block header and parsing the 
just the section header block for endianess.  Then just rewrites the all blocks 
using the original/input endianess format to the pipe without looking much 
further at the block contents.

It only supports one interface.  I don't fully understand how multiple 
interfaces are handled  but would probably require parsing the interface 
description blocks as well to get the linktype and snaplen to put in the 
interface table.

I also did not implement the use_threads option for packet processing.

There is #ifdef WIN32 bits but I don't know if any of that is correct as I 
didn't really touch it and did not even try to compile it.

I hope this gets this feature moving along.

Regards,
James

diff --git a/dumpcap.c b/dumpcap.c
index cc420ba..6fff51f 100644
--- a/dumpcap.c
+++ b/dumpcap.c
@@ -108,6 +108,7 @@
  */
 #include "wiretap/libpcap.h"
 #include "wiretap/pcapng_module.h"
+#include "wiretap/pcapng.h"
 
 /**#define DEBUG_DUMPCAP**/
 /**#define DEBUG_CHILD_DUMPCAP**/
@@ -270,8 +271,15 @@ typedef struct _capture_src {
  /**< capture pipe (unix only "input file") */
 gboolean from_cap_pipe;  /**< TRUE if we are capturing data from a capture pipe */
 gboolean from_cap_socket;/**< TRUE if we're capturing from socket */
-struct pcap_hdr  cap_pipe_hdr;   /**< Pcap header when capturing from a pipe */
-struct pcaprec_modified_hdr  cap_pipe_rechdr;/**< Pcap record header when capturing from a pipe */
+gboolean from_pcapng;/**< TRUE if we're capturing from pcapng format */
+union {
+struct pcap_hdr  cap_pipe_hdr;   /**< Pcap header when capturing from a pipe */
+struct pcapng_section_header_block_s pcapng_pipe_shb; /**< Pcapng header when capturing from a pipe */
+};
+union {
+struct pcaprec_modified_hdr  cap_pipe_rechdr;/**< Pcap record header when capturing from a pipe */
+struct pcapng_block_header_s pcapng_pipe_bh; /**< Pcapng block header when capturing from a pipe */
+};
 #ifdef _WIN32
 HANDLE   cap_pipe_h; /**< The handle of the capture pipe */
 #endif
@@ -388,6 +396,8 @@ static void capture_loop_write_packet_cb(u_char *pcap_src_p, const struct pcap_p
  const u_char *pd);
 static void capture_loop_queue_packet_cb(u_char *pcap_src_p, const struct pcap_pkthdr *phdr,
  const u_char *pd);
+static void capture_loop_write_pcapng_shb(u_char *pcap_src_p, const u_char *pd);
+static void capture_loop_write_pcapng_block(u_char *pcap_src_p, const u_char *pd);
 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
 int err, gboolean is_close);
 
@@ -1452,6 +1462,10 @@ cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
 #endif
 }
 
+/* Some forward declarations for breaking up cap_pipe_open_live for pcap and pcapng formats */
+static void pcap_pipe_open_live(int fd, capture_src *pcap_src, struct pcap_hdr *hdr, char *errmsg, int errmsgl);
+static void pcapng_pipe_open_live(int fd, capture_src *pcap_src, struct pcapng_section_header_block_s *hdr, char *errmsg, int errmsgl);
+
 /* Mimic pcap_open_live() for pipe captures
 
  * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
@@ -1462,7 +1476,7 @@ cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
 static void
 cap_pipe_open_live(char *pipename,
capture_src *pcap_src,
-   struct pcap_hdr *hdr,
+   void *hdr,
char *errmsg, int errmsgl)
 {
 #ifndef _WIN32
@@ -1774,16 +1788,38 @@ cap_pipe_open_live(char *pipename,
 pcap_src->cap_pipe_modified = TRUE;
 break;
 case BLOCK_TYPE_SHB:
-/* This isn't pcap, it's pcapng.  We don't yet support
-   reading it. */
-g_snprintf(errmsg, errmsgl, "Capturing from a pipe doesn't support pcapng format.");
-goto error;
+pcap_src->pcapng_pipe_bh.block_type = BLOCK_TYPE_SHB;
+pcap_src->from_pcapng = TRUE;
+global_capture_opts.use_pcapng = TRUE;
+pcapng_pipe_open_live(fd, pcap_src, (struct pcapng_section_header_block_s *) hdr, errmsg, errmsgl);
+return;
 default:
 /* Not a pcap type we know about, or not pcap at all. */
 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format or not libpcap data.");
 goto error;
 }
+pcap_pipe_open_live(fd, pcap_src, (struct pcap_hdr *) hdr, errmsg, errmsgl);
+return;
 
+error:
+g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
+pcap_src->cap_pipe_err = PIPERR;
+cap_pipe_

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-09-01 Thread Guy Harris

On Aug 31, 2017, at 10:13 PM, Anthony Coddington 
 wrote:

> Wtap filetypes could indicate that they do/do not support sequential only 
> access with a flag in dump_open_table. There is already a flag for 
> writing_must_seek. I'm sure at some point I saw some support in wtap 
> internals for trying to read from pipes/stdin without random seeking support?

Libwiretap, in principle, requires seeking, because it determines the file type 
by, for all file types, attempting to read the file as if it were a file of 
that type until it either finds a file type that claims the file, gets an I/O 
error, or runs out of file types.  It does this by, for each file type, seeking 
back to the beginning of the file and calling the "open" routine.

In practice, the low-level code for reading from files has a buffer and 
implements seeking within the buffer by just adjusting an internal pointer, so 
*if* the first buffer read contains sufficient data, for all file types, to 
either identify the file as being of that type or not being of that type, we 
can determine the file type without actually adjusting the file descriptor's 
seek position, allowing it to work when reading from a pipe.

For files with a magic number at the beginning, that could work, as the buffer 
size is 4K (unless the OS supports the st_blksize member of the stat structure, 
and, for a given file/file system, the returned "recommended" block size isn't 
4K, e.g. 8K on an 8K/1K BSD FFS file system), and for most (if not all) files 
with magic numbers, the magic number is within the first 4K bytes of the file, 
so the test just keep reading out of the buffer.

That would require, however, either that:

1) if the wiretap/file_wrappers.c code reads into the buffer, and 
doesn't get a full 4K, subsequent reads append to the buffer until it fills, 
rather than having the code process what's in the buffer and then do the next 
read starting at the beginning of the buffer

or

2) anything writing to a pipe is guaranteed to, in the first write, 
write enough data for all magic numbers, and all OSes buffer that full amount, 
so that the first read gets enough data for all magic numbers.

For file formats unfortunate enough not to have a magic number, the open 
routine has to be able to say "this is my file" or "this is not my file" given 
only the first 4K bytes of data - or we need to increase the "guaranteed 
minimum unless the file itself is smaller" value to something big enough for 
all file types.

> If necessary wtap could be extended to have wtap filetypes return a 'need 
> more data' rather than WTAP_ERR_SHORT_READ or blocking if they don't have the 
> rest of the packet but have not reached EOF.

If there's currently any place in libwiretap where we return 
WTAP_ERR_SHORT_READ if we haven't finished reading a record but we haven't 
reached EOF, rather than just reading until we *do* finish reading the record, 
that's a colossal bug and needs to be fixed immediately.

We *could*, I guess, provide a "non-blocking" mode, wherein if an attempt to 
read from a file returns EAGAIN before we're finished reading a record, we 
return an equivalent "trying to read more stuff would block" error, but:

1) that change would go all the way down into the middle of 
wiretap/file_wrappers.c, and would probably complicate that code path 
significantly;

2) once that's done, other code paths also get more complicated (look 
at the stuff that reads from files vs. the stuff that captures from pipes!);

so it may be that if we want to be able to capture from a pipe, and not block 
the UI when waiting for input from the pipe, a simpler solution might be to 
stuff the "capture from a pipe" stuff into a separate thread that just does 
ordinary blocking reads from the pipe.  (Back when Wireshark^WEthereal was 
originally written, threading wasn't supported by many of the platforms on 
which it ran.  Now, we use threading in dumpcap and the GTK+ UI, with the GLib 
g_thread_ routines.)

> There is also nothing stopping having an interface for extcap that requires 
> dumping to an intermediate file for files that require seeking.

At least one file type that requires seeking is NetMon files, and you can't 
read them until you've written the entire file, so you just couldn't use it for 
extcap.  But I'm not sure there's any good reason to do so.

Another is the NetXRay/Windows Sniffer format, where the file's contents are 
probably an in-memory ring buffer dumped to the file, so you start reading in 
the middle of the file and, when you hit the end of the file, you wrap around.  
But I'm not sure there's a good reason to use that format, either.

There are cases where we seek forward, but we can implement that, on a 
sequential stream, by just reading data and throwing it away, using file_read() 
with a null pointer to the buffer into which to read data.
___
Sent via:Wiresh

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-09-01 Thread Jeff Morriss

On Thu, Aug 31, 2017 at 2:32 PM, Guy Harris  wrote:

> On Aug 31, 2017, at 11:09 AM, Jeff Morriss 
> wrote:
>
> > A counter argument to this would be that there are some advantages to
> not using a (temporary) file as the buffer packets.
>
> For Wireshark, you have no alternative, as packets aren't processed only
> once.
>
> For TShark with -2, the same applies.
>
> TShark with one pass is the one place where you wouldn't want a temporary
> file.
>

Ah, I guess implicit in my statement was the thought that we'd (have to) go
back to *shark writing the file.

Which would mean that while it could solve the 2 bugs it wouldn't do
anything about the fact that the data's going to a file (except that it
would allow the user to limit how much data is going to the file with a
read filter).  (So my 3rd point is somewhat meaningless.)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-31 Thread Anthony Coddington

On Aug 31, 2017, at 1:31 PM, Guy Harris  wrote:
> On Aug 30, 2017, at 6:00 PM, Ed Beroset  wrote:
> > There are some limitations.  Specifically, pipes don't allow random access, 
>so any file formats that currently require that would need to either be 
>rewritten

> Which, for at least one capture file format (Network Monitor format), would 
>be impossible, as we don't define it, Microsoft does (and they're probably not 
>very amenable to changing it, not least because they've deprecated NetMon in 
>favor of Message Analyzer).  The only file formats *we* control to any degree 
>are pcap and pcapng, neither of which require random access in order to read 
>them sequentially.

> If we make extcap programs work like dumpcap, the only pipe involved is the 
>control pipe between *shark and the program - the packets are written directly 
>to a file - but that wouldn't make any difference for those file formats, as 
>you can't, for example, read a NetMon file until it's *completely* written, 
>with a frame table, and you can't do that until you've written all the packets 
>to it.

Wtap filetypes could indicate that they do/do not support sequential only 
access with a flag in dump_open_table. There is already a flag for 
writing_must_seek. I'm sure at some point I saw some support in wtap internals 
for trying to read from pipes/stdin without random seeking support? If 
necessary wtap could be extended to have wtap filetypes return a 'need more 
data' rather than WTAP_ERR_SHORT_READ or blocking if they don't have the rest 
of the packet but have not reached EOF. There is also nothing stopping having 
an interface for extcap that requires dumping to an intermediate file for files 
that require seeking.

Also note that with the extcap toolbar support there is now optionally already 
a control pipe to and from extcap applications. One option would be to extend 
and use that interface to indicate when packets are available. In dumpcap as 
well ideally (replacing the capchild control pipe). Not sure if it is feasible 
to suggest extcap applications flush the output pipe only on packet boundaries?

Regards,
Anthony

From: Wireshark-dev  on behalf of Guy 
Harris 
Sent: Thursday, 31 August 2017 1:31 p.m.
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

On Aug 30, 2017, at 6:00 PM, Ed Beroset  wrote:

> One problem is that as dumpcap is currently written, it treats files and 
> pipes very differently.

*Files* and pipes, or *capture devices* and pipes?

> but I can't help but think that the general approach you describe is the 
> better long term strategy.

Probably.  It means that the interface between *shark and extcap programs would 
be different - but, while having extcap programs behave like dumpcap might 
complicate the extcap programs (although some of the code to do that could be 
in a library used by dumpcap  and by extcap programs), it might simplify the 
Wireshark capture code path.

> There are some limitations.  Specifically, pipes don't allow random access, 
> so any file formats that currently require that would need to either be 
> rewritten

Which, for at least one capture file format (Network Monitor format), would be 
impossible, as we don't define it, Microsoft does (and they're probably not 
very amenable to changing it, not least because they've deprecated NetMon in 
favor of Message Analyzer).   The only file formats *we* control to any degree 
are pcap and pcapng, neither of which require random access in order to read 
them sequentially.

If we make extcap programs work like dumpcap, the only pipe involved is the 
control pipe between *shark and the program - the packets are written directly 
to a file - but that wouldn't make any difference for those file formats, as 
you can't, for example, read  a NetMon file until it's *completely* written, 
with a frame table, and you can't do that until you've written all the packets 
to it.

However, I suspect Stephen is thinking of ERF format, which should be writable 
purely sequentially, so it shouldn't be a problem, whether you're writing to a 
pipe or to a file that's being read incrementally.
___
Sent via:    Wireshark-dev mailing list 
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-31 Thread Guy Harris

On Aug 31, 2017, at 11:09 AM, Jeff Morriss  wrote:

> A counter argument to this would be that there are some advantages to not 
> using a (temporary) file as the buffer packets.

For Wireshark, you have no alternative, as packets aren't processed only once.

For TShark with -2, the same applies.

TShark with one pass is the one place where you wouldn't want a temporary file.

And the current scheme we have for extcap involves a temporary file, as the 
extcap programs talk to dumpcap, which always writes temporary files.

So, if we want to get rid of the temporary file for one-pass TShark (which 
would probably be a good idea), what we'd want to do is have extcap piping 
packets directly to TShark.  If we can also have TShark directly capturing 
(with a libpcap that does its own privilege separation), completely removing 
dumpcap:

one-pass TShark would read packets from a pcap_t or a pipe, writing to 
a file *if* asked to do so, and dissecting packets *if* asked to do so;

two-pass TShark would read packets from a pcap_t or a pipe, writing to 
a file unconditionally, dissecting the packets but not printing anything and, 
when the capture is complete, going back and re-dissecting the packets in the 
file and printing the results.

Wireshark would, in this world, read packets from a pcap_t or a pipe, writing 
to a file unconditionally, and adding them to its packet list, but not 
displaying the results of that dissection (not generating columns or a protocol 
tree); the packet list and packet details panes would display stuff based on a 
subsequent dissection (so it shows the result of dissections *after* the first 
pass).
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-31 Thread Jeff Morriss

On Thu, Aug 31, 2017 at 12:54 PM, Guy Harris  wrote:

> On Aug 31, 2017, at 3:37 AM, Ed Beroset  wrote:
>
> > On 08/30/2017 09:31 PM, Guy Harris wrote:
> >> On Aug 30, 2017, at 6:00 PM, Ed Beroset  wrote:
> >>> but I can't help but think that the general approach you describe is
> the better long term strategy.
> >> Probably.  It means that the interface between *shark and extcap
> programs would be different - but, while having extcap programs behave like
> dumpcap might complicate the extcap programs (although some of the code to
> do that could be in a library used by dumpcap and by extcap programs), it
> might simplify the Wireshark capture code path.
> >
> > I'm not sure that the interface between dumpcap and Wireshark/tshark
> would need to change to accommodate a wider variety of inputs via pipes.
>
> It wouldn't.
>
> The interface between *extcap programs* and Wireshark/tshark would need to
> change if we want to have extcap programs work like dumpcap, so that they
> talk directly to Wireshark/tshark, and write directly to a capture file,
> rather than talking to dumpcap by sending packets over a pipe.  That was
> Stephen's suggestion, and I think it's worth considering.
>

A counter argument to this would be that there are some advantages to not
using a (temporary) file as the buffer packets.  The ones I've had in mind
for some time are:
* Bug 2234 (filtering tshark captures with read filters (-R) no longer
works) - an Known Problem in our release notes since privsep came in.
* Bug 1650 (dumpcap can remove a ring-buffer file before *shark has read
it; the resulting packet loss is reasonable but error presented to the user
is quite bad).
* Just the general idea of using (slow) files for a buffer.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-31 Thread Guy Harris

On Aug 31, 2017, at 3:37 AM, Ed Beroset  wrote:

> On 08/30/2017 09:31 PM, Guy Harris wrote:
>> On Aug 30, 2017, at 6:00 PM, Ed Beroset  wrote:
>>> One problem is that as dumpcap is currently written, it treats files and 
>>> pipes very differently.
>> *Files* and pipes, or *capture devices* and pipes?
> 
> Actually, I meant to say pipes and sockets.

That's because

1) UN*Xes tend to support select()/poll()/epoll()/kqueues/etc. on just 
about all descriptors

while

2) Windows doesn't support the WaitFor APIs on all handles, and pipes 
are different from sockets.

>>> but I can't help but think that the general approach you describe is the 
>>> better long term strategy.
>> Probably.  It means that the interface between *shark and extcap programs 
>> would be different - but, while having extcap programs behave like dumpcap 
>> might complicate the extcap programs (although some of the code to do that 
>> could be in a library used by dumpcap and by extcap programs), it might 
>> simplify the Wireshark capture code path.
> 
> I'm not sure that the interface between dumpcap and Wireshark/tshark would 
> need to change to accommodate a wider variety of inputs via pipes.

It wouldn't.

The interface between *extcap programs* and Wireshark/tshark would need to 
change if we want to have extcap programs work like dumpcap, so that they talk 
directly to Wireshark/tshark, and write directly to a capture file, rather than 
talking to dumpcap by sending packets over a pipe.  That was Stephen's 
suggestion, and I think it's worth considering.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-31 Thread Kvidera, Evan D

I apologize for dropping off the map on this.

My employers decided that other projects were of higher priority this summer, 
and this fell by the wayside.  The other projects have reached completion, and 
I am still very interested in implementing this functionality, and so is my 
employer. I have a partner, Ben (bandrew...@winona.edu) who is also working on 
implementing this with me.  We are willing to put in the time and effort 
required, but we also do not want to be an obstruction to this getting done. I 
know I had a couple of false starts, so if its time to give it to someone else, 
I understand.  Richard, thank you for your patience and willingness to reach 
out personally.

If it still makes sense for us to work on this, we will strive to implement 
this feature quickly while keeping you and Ed up to date on our progress.

--Evan

From: Wireshark-dev  on behalf of Richard 
Sharpe 
Sent: Wednesday, August 30, 2017 8:23:35 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

On Wed, Aug 30, 2017 at 1:21 AM, Anders Broman
 wrote:
>
>
> -Original Message-
> From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of 
> Ed Beroset
> Sent: den 29 augusti 2017 21:40
> To: wireshark-dev@wireshark.org
> Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
>
> On 08/29/2017 02:35 PM, Richard Sharpe wrote:
>>> On Tue, Aug 29, 2017 at 10:50 AM, Ed Beroset  wrote:
>>>> On 06/16/2017 01:27 PM, Richard Sharpe wrote:
>>>>
>>>> I've just encountered a need for this as well.  Have you made
>>>> progress, Evan?  Do you want some help?
>>>
>>> Evan seems to have dropped off the radar. I outlined to Evan an
>>> approach for doing this, so I could send it to Ed instead ...
>>
>>It would be helpful if you could.  I've looked at your old patch and I've 
>>been looking over the dumpcap.c code and have been making some notes, but it 
>>would nice to have >additional input on this, especially since you've already 
>>looked at it.  Thanks!

FWIW, here are the notes I sent Evan and Ed:

---

> The patch that I pointed you at is incomplete because it does not
> handle PCAPNG captures being piped at you. In addition I am no longer
> happy with exposing the internals of the struct capture_src like that.
>
> It should be easy to add pcapng support by detecting in
> cap_pipe_open_live that you are dealing with PCAPNG rather than PCAP,
> since you will see that you have an PCAPNG capture because the Section
> Header Block magic (block type) is 32 bits and  is different than any
> of the PCAP magic values, and there must be at least one SHB in a
> PCAPNG capture.
>
> Thus you can use that to choose which state machine should be used for
> the subsequent reads.
>
> I think it might be cleaner to extract the current PCAP state machine
> into its own function and create a new one for PCAPNG ... and I will
> have more thoughts later after I have thought about this some more.

More thoughts ...

1. Rename cap_pipe_dispatch to pcap_pipe_dispatch.

2. Create a new pcapng_pipe_dispatch. It only has to deal with two
record types. SHBs and all others. The reason you have to deal with
SHBs specially is that they can change the endianness of the capture
until you see the next SHB. Each block, including the SHB has a length
field as the second 32-bit field and the last 32-bit field. The SHB's
length cannot be interpreted until you figure out the endianness which
is determined from the third 32-bit field. It also contains a total
length for the section.

3. The first SHB has to be dealt with specially since you need to read
the first 32-bits (the MAGIC) to figure out whether or not you are
dealing with PCAP or PCAPNG. After that, SHBs still need to be dealt
with specially, but other blocks are simple to deal with. Read the
first 8 bytes, and if the MAGIC says it is not an SHB, the second
4-byte field tells you how many more bytes to read. Then you can
simply write the lot out. For each non-first SHB, you need to read
another 4 bytes to figure out the endianness field (4-bytes) to
determine how to interpret the second field.

4. Modify pcap_dispatch to call pcap_pipe_dispatch or
pcapng_pipe_dispatch depending on the the type of the capture
determined from reading the very first MAGIC field.

5. cap_pipe_dispatch may look complex because of all those #ifdef's
but that is simply to support Windows as well as Linux. It should be
possible to create pcapng_pipe_dispatch along similar lines as well.
There is probably only two states, or maybe three states, for
pcapng_pipe_dispatch: PCAPNG_STATE_EX

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-31 Thread Ed Beroset


On 08/30/2017 09:31 PM, Guy Harris wrote:

On Aug 30, 2017, at 6:00 PM, Ed Beroset  wrote:


One problem is that as dumpcap is currently written, it treats files and pipes 
very differently.


*Files* and pipes, or *capture devices* and pipes?


Actually, I meant to say pipes and sockets.


but I can't help but think that the general approach you describe is the better 
long term strategy.


Probably.  It means that the interface between *shark and extcap programs would 
be different - but, while having extcap programs behave like dumpcap might 
complicate the extcap programs (although some of the code to do that could be 
in a library used by dumpcap and by extcap programs), it might simplify the 
Wireshark capture code path.


I'm not sure that the interface between dumpcap and Wireshark/tshark 
would need to change to accommodate a wider variety of inputs via pipes. 
 What I meant was that much of the parsing and interpretation of the 
file formats seems to be essentially the same whether the data arrives 
as a file or as data in a pipe, so it seems, perhaps naively, that some 
of the code could also be shared.



There are some limitations.  Specifically, pipes don't allow random access, so 
any file formats that currently require that would need to either be rewritten


Which, for at least one capture file format (Network Monitor format), would be 
impossible, as we don't define it, Microsoft does (and they're probably not 
very amenable to changing it, not least because they've deprecated NetMon in 
favor of Message Analyzer).  The only file formats *we* control to any degree 
are pcap and pcapng, neither of which require random access in order to read 
them sequentially.


Partly for that reason, I've been concentrating my efforts on only those 
two formats for pipe input.  My patch is still quite rough, but it's 
working for my purposes.


Ed
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Stephen Donnelly

From: Guy Harris on Thursday, 31 August 2017 1:24 PM
> On Aug 30, 2017, at 4:58 PM, Stephen Donnelly  
> wrote:

>> At the very least extcap tools should be able to supply data in any format 
>> understood by wiretap, but since the extcap data currently goes via dumpcap 
>> (maybe not sensible either?)
> 
> Perhaps not, indeed.
> 
> Currently, there's a protocol between dumpcap and {Wireshark,TShark} allowing 
> dumpcap to tell *shark "I've appended N more packets to the capture file", to 
> allow dumpcap to report errors and "here's another capture file" (if it's 
> doing multiple files), etc..
> 
> If extcap programs were to speak that protocol when capturing, you could have 
> the extcap programs behave similarly to dumpcap, writing packets directly to 
> a file, and have *shark run the extcap program rather than running dumpcap.  
> I.e., make extcap programs act as substitutes for dumpcap.

Agreed. In fact if extcap programs can talk directly to *shark, then dumpcap 
becomes just another extcap program and not especially privileged.

Stephen

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Guy Harris

On Aug 30, 2017, at 6:00 PM, Ed Beroset  wrote:

> One problem is that as dumpcap is currently written, it treats files and 
> pipes very differently.

*Files* and pipes, or *capture devices* and pipes?

> but I can't help but think that the general approach you describe is the 
> better long term strategy.

Probably.  It means that the interface between *shark and extcap programs would 
be different - but, while having extcap programs behave like dumpcap might 
complicate the extcap programs (although some of the code to do that could be 
in a library used by dumpcap and by extcap programs), it might simplify the 
Wireshark capture code path.

> There are some limitations.  Specifically, pipes don't allow random access, 
> so any file formats that currently require that would need to either be 
> rewritten

Which, for at least one capture file format (Network Monitor format), would be 
impossible, as we don't define it, Microsoft does (and they're probably not 
very amenable to changing it, not least because they've deprecated NetMon in 
favor of Message Analyzer).  The only file formats *we* control to any degree 
are pcap and pcapng, neither of which require random access in order to read 
them sequentially.

If we make extcap programs work like dumpcap, the only pipe involved is the 
control pipe between *shark and the program - the packets are written directly 
to a file - but that wouldn't make any difference for those file formats, as 
you can't, for example, read a NetMon file until it's *completely* written, 
with a frame table, and you can't do that until you've written all the packets 
to it.

However, I suspect Stephen is thinking of ERF format, which should be writable 
purely sequentially, so it shouldn't be a problem, whether you're writing to a 
pipe or to a file that's being read incrementally.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Guy Harris

On Aug 30, 2017, at 4:58 PM, Stephen Donnelly  
wrote:

> At the very least extcap tools should be able to supply data in any format 
> understood by wiretap, but since the extcap data currently goes via dumpcap 
> (maybe not sensible either?)

Perhaps not, indeed.

Currently, there's a protocol between dumpcap and {Wireshark,TShark} allowing 
dumpcap to tell *shark "I've appended N more packets to the capture file", to 
allow dumpcap to report errors and "here's another capture file" (if it's doing 
multiple files), etc..

If extcap programs were to speak that protocol when capturing, you could have 
the extcap programs behave similarly to dumpcap, writing packets directly to a 
file, and have *shark run the extcap program rather than running dumpcap.  
I.e., make extcap programs act as substitutes for dumpcap.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Ed Beroset


On 08/30/2017 07:58 PM, Stephen Donnelly wrote:


Why pcap-ng specifically? Although pcap-ng is higher featured than pcap, it is 
not Wireshark's internal representation. Pcap-ng is merely the default output 
format.


I don't know about other people's desire for this, but here's mine:  I 
am working on a Raspberry Pi based sniffer tool for IEEE 802.15.4 
traffic and want to be able to have the Pi serve up sniffed packets to 
an instance of Wireshark on another machine.  Rather than fiddle with 
pcap, it seemed to make sense to me to use pcapng as the output format 
for the Pi-based sniffer.  It was only after I had finished that, that I 
realized that pcapng was not supported via a pipe.



Since Wireshark has the ability to detect and read multiple formats already in 
wiretap, why not leverage that?

At the very least extcap tools should be able to supply data in any format 
understood by wiretap, but since the extcap data currently goes via dumpcap 
(maybe not sensible either?) they are restricted to pcap only and have to 
convert to that internally, potentially losing information.


Yes, exactly the situation.  So I've created a patch which works for my 
immediate needs, but is rather hack-ish and ugly for any other, at least 
in part due to some of the factors you mention.



Wouldn’t it be better for the capture tool to indicate which of the wiretap 
formats it intends to use, rather than switching from one fixed format to a 
different fixed format? This would then support both pcap and pcap-ng 
intrinsically, as well as all other formats.


One problem is that as dumpcap is currently written, it treats files and 
pipes very differently.  Part of that appears to be due to the fact that 
Windows treats them very differently, but I can't help but think that 
the general approach you describe is the better long term strategy. 
There are some limitations.  Specifically, pipes don't allow random 
access, so any file formats that currently require that would need to 
either be rewritten or omitted for the pipe-able formats.


Might be doable in that way, but it would require a lot of re-engineering.

Ed
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Stephen Donnelly

> Richard Sharpe Sent: Saturday, 17 June 2017 5:28 AM
>
> > On Fri, Jun 16, 2017 at 9:36 AM, Kvidera, Evan D  
> > wrote:
> > Hello Wireshark Devs,
> >
> > My name is Evan Kvidera and I am a senior undergraduate student 
> > studying Computer Science. I have a decent amount of programming 
> > experience, but only a little in C. My employer has asked me to try to 
> > add support for piping pcap-ng captures to Wireshark.
> > I have read over the bug report requesting the feature, 
> > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370.
> >
> > After reading the mailing list archives here, 
> > https://www.mail-archive.com/wireshark-dev@wireshark.org/msg6.html
> > , it looks like this addition will be nontrivial, but doable, and that 
> > the changes necessary are all going to be in dumpcap.
> >
> > I have at least a month or two of full-time work I can dedicate to 
> > this if necessary, although I am hoping it will not take that long.
> >
> > I have read through the Wireshark Developer's Guide and looked over 
> > the style guide for Wireshark. Is there anything else I should know 
> > before starting development? I will try to develop this as 
> > independently as possible, but I may have a few questions along the way.
>
> Hi Evan,
>
> I looked at this back in 2012 and even proposed a patch that might be useful 
> to you:
>
>   http://seclists.org/wireshark/2012/May/25
>
> No doubt it was a little too simplistic but if I find some time next week 
> while I am in Seattle I might try to resurrect it and see if it works.

Why pcap-ng specifically? Although pcap-ng is higher featured than pcap, it is 
not Wireshark's internal representation. Pcap-ng is merely the default output 
format.

Since Wireshark has the ability to detect and read multiple formats already in 
wiretap, why not leverage that?

At the very least extcap tools should be able to supply data in any format 
understood by wiretap, but since the extcap data currently goes via dumpcap 
(maybe not sensible either?) they are restricted to pcap only and have to 
convert to that internally, potentially losing information.

Wouldn’t it be better for the capture tool to indicate which of the wiretap 
formats it intends to use, rather than switching from one fixed format to a 
different fixed format? This would then support both pcap and pcap-ng 
intrinsically, as well as all other formats.

Regards,
Stephen

___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Richard Sharpe

On Wed, Aug 30, 2017 at 1:21 AM, Anders Broman
 wrote:
>
>
> -Original Message-
> From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of 
> Ed Beroset
> Sent: den 29 augusti 2017 21:40
> To: wireshark-dev@wireshark.org
> Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
>
> On 08/29/2017 02:35 PM, Richard Sharpe wrote:
>>> On Tue, Aug 29, 2017 at 10:50 AM, Ed Beroset  wrote:
>>>> On 06/16/2017 01:27 PM, Richard Sharpe wrote:
>>>>
>>>> I've just encountered a need for this as well.  Have you made
>>>> progress, Evan?  Do you want some help?
>>>
>>> Evan seems to have dropped off the radar. I outlined to Evan an
>>> approach for doing this, so I could send it to Ed instead ...
>>
>>It would be helpful if you could.  I've looked at your old patch and I've 
>>been looking over the dumpcap.c code and have been making some notes, but it 
>>would nice to have >additional input on this, especially since you've already 
>>looked at it.  Thanks!

FWIW, here are the notes I sent Evan and Ed:

---

> The patch that I pointed you at is incomplete because it does not
> handle PCAPNG captures being piped at you. In addition I am no longer
> happy with exposing the internals of the struct capture_src like that.
>
> It should be easy to add pcapng support by detecting in
> cap_pipe_open_live that you are dealing with PCAPNG rather than PCAP,
> since you will see that you have an PCAPNG capture because the Section
> Header Block magic (block type) is 32 bits and  is different than any
> of the PCAP magic values, and there must be at least one SHB in a
> PCAPNG capture.
>
> Thus you can use that to choose which state machine should be used for
> the subsequent reads.
>
> I think it might be cleaner to extract the current PCAP state machine
> into its own function and create a new one for PCAPNG ... and I will
> have more thoughts later after I have thought about this some more.

More thoughts ...

1. Rename cap_pipe_dispatch to pcap_pipe_dispatch.

2. Create a new pcapng_pipe_dispatch. It only has to deal with two
record types. SHBs and all others. The reason you have to deal with
SHBs specially is that they can change the endianness of the capture
until you see the next SHB. Each block, including the SHB has a length
field as the second 32-bit field and the last 32-bit field. The SHB's
length cannot be interpreted until you figure out the endianness which
is determined from the third 32-bit field. It also contains a total
length for the section.

3. The first SHB has to be dealt with specially since you need to read
the first 32-bits (the MAGIC) to figure out whether or not you are
dealing with PCAP or PCAPNG. After that, SHBs still need to be dealt
with specially, but other blocks are simple to deal with. Read the
first 8 bytes, and if the MAGIC says it is not an SHB, the second
4-byte field tells you how many more bytes to read. Then you can
simply write the lot out. For each non-first SHB, you need to read
another 4 bytes to figure out the endianness field (4-bytes) to
determine how to interpret the second field.

4. Modify pcap_dispatch to call pcap_pipe_dispatch or
pcapng_pipe_dispatch depending on the the type of the capture
determined from reading the very first MAGIC field.

5. cap_pipe_dispatch may look complex because of all those #ifdef's
but that is simply to support Windows as well as Linux. It should be
possible to create pcapng_pipe_dispatch along similar lines as well.
There is probably only two states, or maybe three states, for
pcapng_pipe_dispatch: PCAPNG_STATE_EXPECT_PREAMBLE (for the first 8
bytes), PCAPNG_NG_STATE_READ_DATA for the remaining data in the
record, and PCAPNG_STATE_EXPECT_SHB_ENDIAN for the 4-byte endianness
indicator of an SHB.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-30 Thread Anders Broman

-Original Message-
From: Wireshark-dev [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of 
Ed Beroset
Sent: den 29 augusti 2017 21:40
To: wireshark-dev@wireshark.org
Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

On 08/29/2017 02:35 PM, Richard Sharpe wrote:
>> On Tue, Aug 29, 2017 at 10:50 AM, Ed Beroset  wrote:
>>> On 06/16/2017 01:27 PM, Richard Sharpe wrote:
>>>
>>> I've just encountered a need for this as well.  Have you made 
>>> progress, Evan?  Do you want some help?
>> 
>> Evan seems to have dropped off the radar. I outlined to Evan an 
>> approach for doing this, so I could send it to Ed instead ...
>
>It would be helpful if you could.  I've looked at your old patch and I've been 
>looking over the dumpcap.c code and have been making some notes, but it would 
>nice to have >additional input on this, especially since you've already looked 
>at it.  Thanks!
>
>Ed

Please send the notes to the list it may be useful for future reference.
Regards
Anders
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-29 Thread Ed Beroset


On 08/29/2017 02:35 PM, Richard Sharpe wrote:

On Tue, Aug 29, 2017 at 10:50 AM, Ed Beroset  wrote:

On 06/16/2017 01:27 PM, Richard Sharpe wrote:

I've just encountered a need for this as well.  Have you made progress,
Evan?  Do you want some help?


Evan seems to have dropped off the radar. I outlined to Evan an
approach for doing this, so I could send it to Ed instead ...


It would be helpful if you could.  I've looked at your old patch and 
I've been looking over the dumpcap.c code and have been making some 
notes, but it would nice to have additional input on this, especially 
since you've already looked at it.  Thanks!


Ed
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-29 Thread Richard Sharpe

On Tue, Aug 29, 2017 at 10:50 AM, Ed Beroset  wrote:
> On 06/16/2017 01:27 PM, Richard Sharpe wrote:
>>
>> On Fri, Jun 16, 2017 at 9:36 AM, Kvidera, Evan D 
>> wrote:
>>>
>>> Hello Wireshark Devs,
>>>
>>> My name is Evan Kvidera and I am a senior undergraduate student studying
>>> Computer Science. I have a decent amount of programming experience, but
>>> only
>>> a little in C. My employer has asked me to try to add support for piping
>>> pcap-ng captures to Wireshark.
>>> I have read over the bug report requesting the feature,
>>> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370.
>>>
>>> After reading the mailing list archives here,
>>> https://www.mail-archive.com/wireshark-dev@wireshark.org/msg6.html,
>>> it
>>> looks like this addition will be nontrivial, but doable, and that the
>>> changes necessary are all going to be in dumpcap.
>>>
>>> I have at least a month or two of full-time work I can dedicate to this
>>> if
>>> necessary, although I am hoping it will not take that long.
>>>
>>> I have read through the Wireshark Developer's Guide and looked over the
>>> style guide for Wireshark. Is there anything else I should know before
>>> starting development? I will try to develop this as independently as
>>> possible, but I may have a few questions along the way.
>>
>>
>> Hi Evan,
>>
>> I looked at this back in 2012 and even proposed a patch that might be
>> useful to you:
>>
>>http://seclists.org/wireshark/2012/May/25
>>
>> No doubt it was a little too simplistic but if I find some time next
>> week while I am in Seattle I might try to resurrect it and see if it
>> works.
>
>
> I've just encountered a need for this as well.  Have you made progress,
> Evan?  Do you want some help?

Evan seems to have dropped off the radar. I outlined to Evan an
approach for doing this, so I could send it to Ed instead ...

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-08-29 Thread Ed Beroset


On 06/16/2017 01:27 PM, Richard Sharpe wrote:

On Fri, Jun 16, 2017 at 9:36 AM, Kvidera, Evan D  wrote:

Hello Wireshark Devs,

My name is Evan Kvidera and I am a senior undergraduate student studying
Computer Science. I have a decent amount of programming experience, but only
a little in C. My employer has asked me to try to add support for piping
pcap-ng captures to Wireshark.
I have read over the bug report requesting the feature,
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370.

After reading the mailing list archives here,
https://www.mail-archive.com/wireshark-dev@wireshark.org/msg6.html, it
looks like this addition will be nontrivial, but doable, and that the
changes necessary are all going to be in dumpcap.

I have at least a month or two of full-time work I can dedicate to this if
necessary, although I am hoping it will not take that long.

I have read through the Wireshark Developer's Guide and looked over the
style guide for Wireshark. Is there anything else I should know before
starting development? I will try to develop this as independently as
possible, but I may have a few questions along the way.


Hi Evan,

I looked at this back in 2012 and even proposed a patch that might be
useful to you:

   http://seclists.org/wireshark/2012/May/25

No doubt it was a little too simplistic but if I find some time next
week while I am in Seattle I might try to resurrect it and see if it
works.


I've just encountered a need for this as well.  Have you made progress, 
Evan?  Do you want some help?


Ed
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-06-16 Thread Richard Sharpe

On Fri, Jun 16, 2017 at 9:36 AM, Kvidera, Evan D  wrote:
> Hello Wireshark Devs,
>
> My name is Evan Kvidera and I am a senior undergraduate student studying
> Computer Science. I have a decent amount of programming experience, but only
> a little in C. My employer has asked me to try to add support for piping
> pcap-ng captures to Wireshark.
> I have read over the bug report requesting the feature,
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370.
>
> After reading the mailing list archives here,
> https://www.mail-archive.com/wireshark-dev@wireshark.org/msg6.html, it
> looks like this addition will be nontrivial, but doable, and that the
> changes necessary are all going to be in dumpcap.
>
> I have at least a month or two of full-time work I can dedicate to this if
> necessary, although I am hoping it will not take that long.
>
> I have read through the Wireshark Developer's Guide and looked over the
> style guide for Wireshark. Is there anything else I should know before
> starting development? I will try to develop this as independently as
> possible, but I may have a few questions along the way.

Hi Evan,

I looked at this back in 2012 and even proposed a patch that might be
useful to you:

  http://seclists.org/wireshark/2012/May/25

No doubt it was a little too simplistic but if I find some time next
week while I am in Seattle I might try to resurrect it and see if it
works.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Adding pcap-ng pipe support to dumpcap

2017-06-16 Thread Kvidera, Evan D

Hello Wireshark Devs,

My name is Evan Kvidera and I am a senior undergraduate student studying 
Computer Science. I have a decent amount of programming experience, but only a 
little in C. My employer has asked me to try to add support for piping pcap-ng 
captures to Wireshark.
I have read over the bug report requesting the feature, 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370.

After reading the mailing list archives here, 
https://www.mail-archive.com/wireshark-dev@wireshark.org/msg6.html, it 
looks like this addition will be nontrivial, but doable, and that the changes 
necessary are all going to be in dumpcap.

I have at least a month or two of full-time work I can dedicate to this if 
necessary, although I am hoping it will not take that long.

I have read through the Wireshark Developer's Guide and looked over the style 
guide for Wireshark. Is there anything else I should know before starting 
development? I will try to develop this as independently as possible, but I may 
have a few questions along the way.

Thanks,
  Evan
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

[Wireshark-dev] Adding pcap-ng pipe support to dumpcap

26 matches

Site Navigation

Mail list logo

Footer information