Ask Your Question
0

How to get a diff for two or more packets in a stream

asked 2019-05-16 21:49:43 +0000

rdeal gravatar image

I've been trying to figure out a plugin that could allow a user to click on/select two packets and then hit a keybind or select something in the toolbar to have a window pop up showing a diff for the two packets. From what I can find, lua is just used for dissectors and to change the source code is very difficult? The Idea in my head right now is that I can drop a .dll in a plugin folder or maybe have wireshark run a python script. I'm just trying to get it to work in linux, but if that's not an option, that's fine. I'm very new to wireshark and haven't been able to find any sort of api for a plugin through google, but If someone could explain how to I might go about this, it would be appreciated as I am quite clueless as to how to go about this.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-05-17 05:52:27 +0000

Jaap gravatar image

First some background on the kind of plugin interfaces Wireshark provides. The most well known is the dissector plugin API. It allows code to be added to the dissection engine, so that it can dissect additional protocols. Besides this there are the capture file plugin API, which allows additional capture file types to be read, the codec plugin API, which allows additional audio codecs to be handled in RTP analysis and a extcap plugin API, which allows interaction with additional types of capture interfaces. All these API's are available through C binding, although the dissection engine also has a Lua interface.

As you see this all has little or nothing to do with GUI interaction. Sure the output data of these plugins are used in the GUI, but the same plugins work from the command line as well (by means of tshark). So the feature you're describing is not feasible through a plugin interface, but would have to be coded into the Qt interface code. This would involve getting to know how packet dissections are shown in the GUI, how they are shown in their own window and see how to extend upon that to a dissection diff feature. It won't be simple, but it is a feasible enhancement.

edit flag offensive delete link more

Comments

Have a look at @Jaap's answer for info on the Wireshark API's. One additional note. With Lua you might be able to make a "tap" that you can feed two frame numbers and then have it show both dissection trees in a new window. That would be an interesting experiment.

Meanwhile it can be done on the CLI with (this will show a diff between packet 5 and 6):

diff -y <(tshark -r file.pcap -Y frame.number==5 -V) <(tshark -r file.pcap -Y frame.number==6 -V)

And can be optimized by using editcap to extract the frames if the dissection of the frame does not depend on other frames:

diff -y <(editcap -r file.pcap - 5 | tshark -r - -V) <(editcap -r file.pcap - 6 | tshark -r - -V)
SYN-bit gravatar imageSYN-bit ( 2019-05-17 09:44:35 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-05-16 21:49:43 +0000

Seen: 2,763 times

Last updated: May 17 '19

Related questions

SOME/IP Plugin under windows

where do I find a version of Wireshark that works with the Nordic BLE sniffer plugin

how to decode part of a message as IPv4 with a custom dissector?

Unable to load lua plugins in wireshark 2.4.3

Dissector plugin: binary-coded-decimal encoding

Get field value in tap listener plugin written in C language

How to create and install new own plugin in wireshark for filtering CAN packets in Ubunutu 16.04LTS

build errors. First time cmake user

Wireshark public API for data

undefined symbol error while running wireshark after building plugin

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2