Ask Your Question
0

How to write/capture a pcap file to test dissector?

asked 2022-11-29 18:30:32 +0000

DavidA_2018 gravatar image

Hi, we have a mature Lua dissector which we need to continue to develop and test.

We have a Client and Server pair of test programs, coded in C++ and connected via TCP/IP. We capture the exchanged packets using Wireshark in order to test the dissector.

My question is how to conveniently capture the packets. We can run on Windows (including WSL) or Linux. We want to avoid using Npcap because of license costs. I guess the obvious solution is to use 3 PCs connected to a switch, to run the client, server and Wireshark. However, that is cumbersome due to the quantity of equipment, particularly if working remotely from the test setup.

Please can anyone suggest a more elegant test configuration, requiring less hardware?

Could a loopback be configured using WSL/WSL2 in Windows, or on a Linux box, in which case all 3 apps could run on the same machine?

Could the C++ client/ server programs write packets directly to a PCAP file for later dissection by Wireshark?

edit retag flag offensive close merge delete

Comments

We want to avoid using Npcap because of license costs.

Do you have a custom Wireshark installer? If you only have Lua dissectors, then you should be able to install the stock Wireshark installer with Npcap and not have to worry about licensing costs. From the Npcap License Agreement:

Copies of Npcap do not count toward the five copy, five computer, or
five user limitations imposed by this section if they are installed
and used solely in conjunction with any of the following software:

o The Nmap Security Scanner, as distributed from https://nmap.org

o The Wireshark network protocol analyzer, as distributed from
  https://www.wireshark.org/

o Microsoft Defender for Identity, as distributed from
  https://www.microsoft.com/en-us/microsoft-365/security/identity-defender
cmaynard gravatar imagecmaynard ( 2022-11-29 21:50:42 +0000 )edit

Hi Chris, thanks very much for answering my question. Your reply was very helpful. David.

DavidA_2018 gravatar imageDavidA_2018 ( 2022-11-30 14:22:34 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-11-29 19:14:21 +0000

André gravatar image

updated 2022-11-29 19:16:28 +0000

You only need one machine to do the capturing. So I don't understand the comment about license costs. Especially when capturing using Linux is an option.

Yes you can capture localhost traffic or other virtual interfaces, thus using WSL, virtual machines or Docker images.

Yes, a C++ program can create pcap(ng) files using the libpcap library. In this case I would prefer to capture on a NIC.

edit flag offensive delete link more

Comments

Thanks for your answer.

DavidA_2018 gravatar imageDavidA_2018 ( 2022-11-30 14:22:59 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2022-11-29 18:30:32 +0000

Seen: 502 times

Last updated: Nov 29 '22

Related questions

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?

PRP Dissector and FCS

Use a UDP payload dissector depending on ip addresses

Reuse (part of) a Wireshark Dissector

Heuristic dissector not called

How do I dissect multiple packets?