I am sending messages over http and would like to process the message information before displaying it in wireshark. Is is possible to write a plugin that can manipulate data contained within an http body before displaying it? I have been looking through the developers guide, specifically chapter 9, and the examples there show how to create a dissector for a protocol which I don't believe is what I am trying to accomplish. If there is a way to preprocess the information for display where can I find an example of how to do that? asked 16 Apr '14, 08:39  JME |
One Answer:
You're talking about a dissector. They take the information out of the packet in whatever format it's received, and dissect it into human readable chunks. I'm not away of any parts of Wireshark that transform data in the particular manner you describe. You could write another tool that pre-processes captures so that the modified pcap file contains the converted Json protocol, but that's non-trivial as you have to manage all the underlying layers (e.g. Ethernet, tcp) that Wireshark handles for you. You should be able to use your conversion code as a basis for a dissector though, as a dissector just takes the input buffer, parses it into the component parts and calls the Wireshark API to add the parsed info into the columns and tree display. answered 16 Apr '14, 10:07  grahamb ♦ |
I'm not sure what you are after but I think you can register a dissector for a specific content-type.
What I am trying to get at is this. After a client sends an http request to the server, the server responds over http with a message that contains Apache Avro data. When I view the response in wireshark I would like to see the response as standard Json rather than Avro's binary file format. I have code that can take the Avro file and transform it to Json, and I would like to know how I can add that code to wireshark in order to make the server response human readable.
What is the content type of that binary data? The first problem is to get only the http data you want. Then you can extract it from the tvb manipulate it put it in a new tvb and dissect that. Similar to deflating payload.