Wireshark mailing list archives
Re: Adding pcap-ng pipe support to dumpcap
From: "Kvidera, Evan D" <ed4481hu () my southeastmn edu>
Date: Wed, 30 Aug 2017 16:49:04 +0000
I apologize for dropping off the map on this. My employers decided that other projects were of higher priority this summer, and this fell by the wayside. The other projects have reached completion, and I am still very interested in implementing this functionality, and so is my employer. I have a partner, Ben (bandrews14 () winona edu) who is also working on implementing this with me. We are willing to put in the time and effort required, but we also do not want to be an obstruction to this getting done. I know I had a couple of false starts, so if its time to give it to someone else, I understand. Richard, thank you for your patience and willingness to reach out personally. If it still makes sense for us to work on this, we will strive to implement this feature quickly while keeping you and Ed up to date on our progress. --Evan ________________________________ From: Wireshark-dev <wireshark-dev-bounces () wireshark org> on behalf of Richard Sharpe <realrichardsharpe () gmail com> Sent: Wednesday, August 30, 2017 8:23:35 AM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap On Wed, Aug 30, 2017 at 1:21 AM, Anders Broman <anders.broman () ericsson com> wrote:
-----Original Message----- From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Ed Beroset Sent: den 29 augusti 2017 21:40 To: wireshark-dev () wireshark org Subject: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap On 08/29/2017 02:35 PM, Richard Sharpe wrote:On Tue, Aug 29, 2017 at 10:50 AM, Ed Beroset <beroset () mindspring com> wrote:On 06/16/2017 01:27 PM, Richard Sharpe wrote: I've just encountered a need for this as well. Have you made progress, Evan? Do you want some help?Evan seems to have dropped off the radar. I outlined to Evan an approach for doing this, so I could send it to Ed instead ...It would be helpful if you could. I've looked at your old patch and I've been looking over the dumpcap.c code and have been making some notes, but it would nice to have >additional input on this, especially since you've already looked at it. Thanks!
FWIW, here are the notes I sent Evan and Ed: -----------------------
The patch that I pointed you at is incomplete because it does not handle PCAPNG captures being piped at you. In addition I am no longer happy with exposing the internals of the struct capture_src like that. It should be easy to add pcapng support by detecting in cap_pipe_open_live that you are dealing with PCAPNG rather than PCAP, since you will see that you have an PCAPNG capture because the Section Header Block magic (block type) is 32 bits and is different than any of the PCAP magic values, and there must be at least one SHB in a PCAPNG capture. Thus you can use that to choose which state machine should be used for the subsequent reads. I think it might be cleaner to extract the current PCAP state machine into its own function and create a new one for PCAPNG ... and I will have more thoughts later after I have thought about this some more.
More thoughts ... 1. Rename cap_pipe_dispatch to pcap_pipe_dispatch. 2. Create a new pcapng_pipe_dispatch. It only has to deal with two record types. SHBs and all others. The reason you have to deal with SHBs specially is that they can change the endianness of the capture until you see the next SHB. Each block, including the SHB has a length field as the second 32-bit field and the last 32-bit field. The SHB's length cannot be interpreted until you figure out the endianness which is determined from the third 32-bit field. It also contains a total length for the section. 3. The first SHB has to be dealt with specially since you need to read the first 32-bits (the MAGIC) to figure out whether or not you are dealing with PCAP or PCAPNG. After that, SHBs still need to be dealt with specially, but other blocks are simple to deal with. Read the first 8 bytes, and if the MAGIC says it is not an SHB, the second 4-byte field tells you how many more bytes to read. Then you can simply write the lot out. For each non-first SHB, you need to read another 4 bytes to figure out the endianness field (4-bytes) to determine how to interpret the second field. 4. Modify pcap_dispatch to call pcap_pipe_dispatch or pcapng_pipe_dispatch depending on the the type of the capture determined from reading the very first MAGIC field. 5. cap_pipe_dispatch may look complex because of all those #ifdef's but that is simply to support Windows as well as Linux. It should be possible to create pcapng_pipe_dispatch along similar lines as well. There is probably only two states, or maybe three states, for pcapng_pipe_dispatch: PCAPNG_STATE_EXPECT_PREAMBLE (for the first 8 bytes), PCAPNG_NG_STATE_READ_DATA for the remaining data in the record, and PCAPNG_STATE_EXPECT_SHB_ENDIAN for the 4-byte endianness indicator of an SHB. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Anders Broman (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Kvidera, Evan D (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 29)
- <Possible follow-ups>
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Jeff Morriss (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Anthony Coddington (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)