On Sep 17, 2007, at 5:21 AM, Will Barker wrote:
We currently produce PC-based WAN products. These include support
for synchronous protocols such as X.25, PPP etc.
We can currently capture frames using our own drivers/applications
on Windows and linux, save this information to file (in libpcap
format) which can then subsequently be read by wireshark.
While this is useful it would be great if we could achieve the same
thing but in real-time.
I assume that this could (technically) be achieved on Windows either
by
1) extending winpcap in someway to enable it to capture our
frames and pass them up to Wireshark
2) sit alongside winpcap and offer the frames up to wireshark
directly ourselves
I assume 2) would require us to produce our own capture driver (NDIS
on Windows) which Wireshark would see as a pseudo LAN driver and we
could pass our WAN frames up to it using some (libpcap-based?)
format or other?
The only way to offer frames to Wireshark would be through libpcap/
WinPcap or via a pipe; the latter works better than the former.
That means 1) is probably your best bet.
Can anyone point me in the right direction as to how to achieve
this? Developing the NDIS driver itself is not a problem since we’ve
lots of experience there – the issue is one of interfaces and what
is required in that regard in order for us to interface to wireshark
as seamlessly as possible.
Take a look at the libpcap/WinPcap source. Look both at the pcap-
win32.c file and the pcap-linux.c file, in the pcap_open_live()
routines.
Look first at pcap-linux.c; the Linux pcap_open_live() has code at the
beginning that looks for particular strings in the device name and, if
it sees them, calls special open routines.
For Windows, you should pick device names that don't match a device
name you'd see on Windows (if you restrict yourself to NT 5.x and
later, i.e. W2K and later without Windows Me, that should be easy, as
the device names you see on Windows are ugly blobs with a GUID in the
middle), and, for Linux, do the same. If you find a matching name,
call your own open routine. See pcap-dag.c for an example of how
that's done - you write your own routines to perform operations such
as reading packets, and set function pointers in the pcap_t structure
to point to those routines.
The next question would then be – how to achieve the same thing on
linux?
See above. The bulk of the changes should be somewhat similar on
Windows and Linux.
Further questions about this should probably be asked on the tcpdump-workers@xxxxxxxxxxx
mailing list or, for Windows-specific issues, winpcap-users@xxxxxxxxxxx
list.
