Re: Questions on Wireshark plugins “show pid”

[Guy Harris <guy () alum mit edu>]

On Oct 18, 2013, at 2:57 AM, Bogdan Harjoc <harjoc () gmail com> wrote:

> Hi, if you can add pid+process name as a plugin it would be great,

There's no place in the Wireshark code at which to insert such a plugin.

One place for code to find that information would be in the packet capture path.  That would require a capture file 
format capable of saving that information; pcap-ng can do that in at least a couple of ways:

        1) put it in a per-packet comment, which is what tcpdump on OS X Mountain Lion and later will do if you tell 
them to write pcap-ng files (it gets that information from libpcap, which gets it from OS X's BPF, which supplies it 
for some - but not all! - *outgoing* packets only);

        2) use the Hone Linux-Sensor project:

                https://github.com/HoneProject/Linux-Sensor

           extensions to pcap-ng:

                https://github.com/HoneProject/Linux-Sensor/blob/master/hone-pcapng.txt

           (they get it through a bunch of Linux kernel modules), and add support for those extensions (I have been 
restructuring the libwiretap library to make it handle pcap-ng, including extensions, better; that will include some 
fairly significant API changes - I haven't had time to work on it recently, but I'll try to get back to it at some 
point).

The first requires only changes to dumpcap (which currently does not support plugins, and, if it ever supports them, 
will do so in a *very* controlled fashion, as it might have to run with special privileges in order to be able to 
capture traffic, and privileges+plugins is a bit of an invitation to cracking), plus whatever OS changes, if any, are 
needed to get that information in the first place.

The second would require changes to libwiretap, as well as dumpcap changes and OS changes as needed.

There's no place to insert plugins into, for example, the IP dissection code path, as your changes do by modifying the 
IPv4 dissector.

I.e.:

> On Fri, Oct 18, 2013 at 10:44 AM, 无聊小青年 <yzhpdy () qq com> wrote:
> Dear sir：
>       I am a beginner on wireshark and I find that your CODE attached on wireshark.org is very useful to me. Should I 
> implement this plugin as the same steps I do when adding a self-designed dissector?

Bogdan's code, at least the version at

        http://www.wireshark.org/lists/wireshark-dev/201212/msg00070.html

is *not* a plugin, it's a patch to the Wireshark source code.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe