Hi everyone,
I just registered to share something I wrote as an alternative to command line wireshark (tshark).
At my previous work place we had an equipment that ran Linux and processed multiple protocols (some proprietary, some known protocols).
For debugging purposes we used to capture PCAP files using tcpdump, transfer them to a host machine and decode them there (where our proprietary protocols would not decode, as we did not write dissectors for all of them and had to parse them manually).
This is where I decided to create a side project of my own (on my spare time, of course :-)), that would be able to decode all our protocols using a very simple configuration file, where adding new protocols could be done in a matter of minutes.
The way it works is by parsing output of tcpdump:
Configuration is done using a CSV file with very little number of fields, which describes all the protocols and their relationship.
For example, Ethernet protocol is defined by:
#Id,Name,Type,Length,Condition,Display
eth,Ethernet,Protocol,,,
eth.da,Destination Address,Memory,6,,MAC&SHORT
eth.sa,Source Address,Memory,6,,MAC&SHORT
eth.etype,Ethernet Type,Integer,2,eth.etype > 1500,HEX
eth.len,Length,Integer,2,!eth.etype,DEC
I planned to add support for PCAP parsing and more, but never got around to it.
Feel free to grab (and compile) a copy from:
http://mpd.googlecode.com/svn/trunk/
or browse the project from:
http://code.google.com/p/mpd/
Please note that there are actually two mains in the trunk:
a) calculator - a test program used to test the formula features.
b) packet_parser - the tcpdump output parser.
Also, I am aware that the makefile is missing. It was not required in our environment, so I did not add it, but it should be added.
If you compile the code, please post the makefile.
If you would like to contribute and add some more features to the project or just want to ask some questions, feel free to contact me.
Idan.