Hi list, I wonder if Wireshark could be extended to provide real-time network issue detection and if there was any interest in the community to implement this feature.
Let me explain. What i would like to have is the following: Wireshark (tshark to be precise) would be run from another application (let's call it the Monitor application). There would be a form of interprocess communication between Wireshark and the latter. Wireshark would capture packets, decode them and run certain analysis modules (console style "tap-listeners", as can be activated via the -z option). The analysis modules would be designed to detect alarm conditions that correspond to a certain network troubleshooting issue, for example, think of a module that monitors RTP voice conversations and reports whenever there is consecutive packet loss exceeding some threshold. Whenever an alarm condition is met, Wireshark would notify the Monitor application, and the latter would save the coresponding capture files. Wireshark would be run in multiple files option, but the Monitor would erase every written file after a while if no alarm condition has been met during that time. Only the capture files containing alarm conditions would be saved. The goal is to have the whole thing running over several days/weeks without filling up the HDD with unnecessary files. In fact i already have implemented an application that does just that! It was back on Ethereal 0.10.3 and i had to modify Ethereal in a few ways: - Include a form of interprocess communication with the calling Monitor. (was done using Windows IPC, certainly not a good choice, but it was the fastest possible way for me to do), including an ABI for the monitoring taps to use it. - Make Ethereal report whenever it switched to a new capture file. (- Mayeb other things i don't remember any more) Problems i had to cope with: - Ethereal was leaking memory which caused problems when running for several days. My workaround was to have Monitor relaunch Ethereal every now and then. Obviously, keeping up with Wireshark's release frequency is difficult for me. That is why i'm asking wether there would be interest in redesigning, adding and maintaining the Wireshark related part to the Wireshark source tree? best regards, Lars Ruoff _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
