Re: Wireshark GUI filter control from external applications.

[Lee Brooks <lee.brooks.inbox () gmail com>]

Hi,

Okay, I've tried creating a Wireshark Lua plugin however I'm unable to keep
a thread open in the background to change the GUI-filter without blocking
the Wireshark main thread. I've even tried creating a separate Lua thread
which doesn't work either. The other option that I have investigated was:
to register the server accept() call into an API call similar to
"register_postdissector" (which is "called for every frame after
dissection") however there are no such suitable API calls  (and to be
honest it would be a terrible hack!).

So I guess that leaves me with a two questions:
> Is there a better way of using Lua such that I can have a socket open in
the background?
> If not: is there a procedure for getting my (small) C++
change reviewed and getting it built into Wireshark?

Any help you can offer would be appreciated.

Thanks,

Lee


On 12 February 2013 16:26, Lee Brooks <lee.brooks.inbox () gmail com> wrote:

> Hi,
>
> The tool wasn't written inside Wireshark because it started off as
> a dissertation project where the GNU General Public License was problematic
> for the sponsoring party. Since then the third party have agreed to release
> the IP to the authors, allowing it to be released Open Source.
>
> The application is used for analysing large amounts of data (>500Mb) so
> re-starting Wireshark (although not impossible) would take too long each
> time the user wants to update the filter.
>
> Thank you for your advice, I will look into the Wireshark Lua plugin.
>
> Thanks,
>
> Lee
>
>
> On 11 February 2013 17:53, Hadriel Kaplan <HKaplan () acmepacket com> wrote:
>
> >  Not critiquing your approach, but if you've got a tool that analyzes
> > pcap data for TCP/IP connections/stats, and also uses Wireshark, why not
> > just write the tool *inside* Wireshark? (e.g., as a tap)
> > Alternatively, if your tool is stand-alone and uses Wireshark only for
> > detailed drill-down on-demand, why not start Wireshark with the command
> > line and use the "-R" command-line option to set the display filter?
> >
> >  Otherwise, using sockets/pipes to do it seems reasonable, but you may
> > not need to modify Wireshark's C-code to accomplish it - you might be able
> > use a Wireshark Lua plugin which uses LuaSocket to communicate to your
> > application, and have the Lua plugin call set_filter() and apply_filter()
> > to change the display filter.
> >
> >  -hadriel
> >
> >
> >  On Feb 11, 2013, at 5:43 AM, Lee Brooks <lee.brooks.inbox () gmail com>
> > wrote:
> >
> >  Hi,
> >
> >  Thank you for replying.
> >
> >  Sure, firstly for other bespoke network analysis tools that aim to use
> > Wireshark to analyse low level network data (but where the main focus of
> > the tool isn't aimed at that level of detail). In comparison to it's
> > alternatives Wireshark is feature-rich, very customisable and also stable
> > which makes it desirable to hook into from other applications. This type of
> > tool ranges from in-house testing tools to other open-source applications.
> >
> >  For my self personally, a colleague and I are hoping to release a
> > light-weight open source tool that provides a top-down view on network
> > data. It has already been written, tested and used in anger by others at
> > the company where we work. It analyses pcap data then provides statistics
> > on a list of IP conversations between hosts, allowing you to drill down
> > into details about the TCP Connections for each conversation. Then from TCP
> > Connections it can drill down into the individual packet data where it
> > currently hooks into a prototype-dev version of Wireshark (by changing the
> > filters on the GUI). It also provides the ability to script your own data
> > classifications to help identify specific network conditions quickly. Our
> > aim is to release it to the open source community within the next few
> > weeks/months.
> >
> >  In my opinion I would rather connect to a Wireshark remote control API
> > than use a bespoke version or re-create the wheel.
> >
> >  I think a "GUI remote control" would only need to support "Change GUI
> > Filter" and "Remove GUI Filter" although it has a lot more potential too. I
> > have implemented these controls in our prototype-dev version or Wireshark
> > and the source code supports it fairly well.
> >
> >  Any help you can offer would be appreciated.
> >
> >  Thanks,
> >
> >  Lee
> >
> >
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >              mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe