2

Im using libpcap and want to be able to analyze packets but without wireshark at all. However, I want to use the wireshark dissectors. Has anybody done this and can give me an explanation for the needed steps?

Fabian Knapp
  • 1,342
  • 13
  • 27

2 Answers2

1

First of all see this answer about the dangers of using epan and linking to libwireshark. You're basically alone trying to make it work, it is not meant to work that way and a new version may break your code. It is always suggested to write a dissector instead since that API is not going to change.

If that did not scare you please read forward.

I have not performed it but i'm more-or-less familiar with the wireshark code tree. I believe that what you're after is the #include <epan/packet.h>, #include <epan/frame_data.h> and #include <epan/tvbuff.h> (Testy Virtual Buffer), these header files are distributed together with wireshark since are needed to write plugin dissectors.

Since one protocol often contains another protocol as the payload wireshark's way to deal with is the tvbuff_t. One dissector returns a tvbuff_t which can then be used by another dissector. You need to perform the entire decoding of the packet, (for example, starting from Ethernet) since wireshark is not there to do it for you.

The code in the epan directory is documented in the doc directory, notably the section 1.7 of doc/README.dissectors (Calling Other Dissectors) has information on how to use tvbuff_t and find_dissector().

It is a very hacky way of doing things, therefore i'll warn again: if you can get away with writing a dissector and use it within wireshark, do it.

Community
  • 1
  • 1
grochmal
  • 2,901
  • 2
  • 22
  • 28
1

I found the following Project on Github:

https://github.com/gnychis/android-wmon

One has to do some modifications in order to get it work, but much much easier than starting from the beginning.

Fabian Knapp
  • 1,342
  • 13
  • 27
  • 1
    That's an interesting project! I assume you wanted an android focused API in the first place. I just went quickly through the code and i believe it does not support Ethernet decoding (which isn't a problem at all if you're on a smartphone but might be if you're on a webserver). I'm just adding the comment in case someone finds this question while searching for a similar solution. – grochmal Jun 09 '16 at 20:56
  • Can you explain why it doesnt support Ethernet decoding? Which parts are missing? – Fabian Knapp Jun 11 '16 at 07:55
  • First, i need to admit that i never wrote android code therefore i may be very wrong, since i do not know what `android.os.Parcel` does for an example. But in the [hardware handlers](https://github.com/gnychis/android-wmon/tree/master/application/src/com/gnychis/awmon/HardwareHandlers) there is no Ethernet handlers (which i would expect), and the [LANScanner](https://github.com/gnychis/android-wmon/blob/master/application/src/com/gnychis/awmon/InterfaceScanners/LANScanner.java) has a hardcoded `--interface=wlan0`. As i said i never wrote android code maybe `wlan0` can be used as ethernet? – grochmal Jun 11 '16 at 13:01
  • I think the whole project only works fine for the mentioned hardware with external wlan usb card supporting monitor mode. However, I only use the C code on android and only use the dissecting part with the help of wireshark_helper.c. This works great. – Fabian Knapp Jun 13 '16 at 07:39