Wireshark Development

This is the development section of the Wireshark wiki.

Beginner?

If you are new to Wireshark development, please set up your build environment first:

• get the source code from the Wireshark development webpage

• Win32: the Developer's Guide is currently invaluable for setting up a Win32 development environment

• Unix-like: you may find information in the README.xxx file suitable for your target platform - in the root directory of the Wireshark sources

• Required Libraries and Packages: Before you download source code to Wireshark, you may want to verify that the following packages are installed on your system -- they are required in order to compile:

  1. GTK+ and GLib, available from the GTK+ site. Wireshark 1.0.x will work with versions 1.2 or 2.x, later versions and the development version are 2.x only. Solaris users should note that at least some versions of the GLib and GTK+ packages from sunfreeware.com have had problems that either cause Wireshark not to build or cause it to crash when run; if the build fails because plugin_list isn't defined, or the build succeeds but Wireshark crashes with a bus error, and you have GLib and GTK+ packages from sunfreeware.com installed, un-install those packages, and try getting the 1.2.10 versions from that site, or the version from The Written Word, or the version from Sun's GNOME distribution, or the version from the supplemental software CD that comes with the Solaris media kit, or build it from source from the GTK Web site. Then re-run the configuration script, and try rebuilding Wireshark. (If you get the 1.2.10 versions from www.sunfreeware.org, and the problem persists, un-install them and try installing one of the other versions mentioned.)

  2. The libpcap packet capture library, available for Unix-like operating systems The Tcpdump Group, if it doesn't come as part of your OS; the Windows port, WinPcap, is available from the WinPcap Web site, as well as from the Wiretapped.net mirror of that site. In Linux distributions that come with libpcap, there are often separate "user" and "developer" packages for libpcap; you will have to install both packages in order to compile Wireshark. On Windows, you will need to install not only the regular WinPcap library, but also the "developer's pack", in order to compile Wireshark. You must install WinPcap 3.1 or later (4.x is recommended), and the corresponding version of the developer's pack, in order to be able to compile Wireshark; it will not compile with older versions of the developer's pack. (The installed version of the developer's pack should be the same version as the version of WinPcap you have installed.)

  3. For Debian GNU/Linux, installing the following packages should get you started:

        sudo aptitude install build-essential automake autoconf libgtk2.0-dev libglib2.0-dev libpcap0.8-dev flex bison

     or install the wireshark-dev package for the complete set of libs and tools.

  4. Perl is required to build the documentation.

  5. Python may be required to generate some code.

  6. sed is required to generate some code.

  7. flex and bison may be required to generate some code.

• Optional Libraries: Additionally, Wireshark can make use of numerous other libraries, if available.

  1. Zlib allows Wireshark to read gzip-compressed files on the fly.

  2. The LIBSMI (replacing Net-SNMP) library enables translation of OIDs to names, and more detailed decoding of variable bindings, using MIB files that come with the library.

  3. GNU adns allows asynchronous DNS resolution. Normally, Wireshark and tshark perform name resolution synchronously, which can slow things down considerably. A Windows version of the library is also available.

  4. c-ares has replaced ADNS as asynchronous DNS resolver in the stable version of Wireshark.

  5. The Perl Compatible Regular Expressions (PCRE) library implements the "matches" display filter operator, which lets you search for arbitrary regular expressions in capture files.

  6. The GnuTLS library is used in dissection of SSL and TLS protocols.

  7. The GCrypt library provides support for many ciphers.

  8. The Kerberos library is used to dissect Kerberos, sealed DCERPC and secureLDAP protocols.

  9. The LUA library is used to add scripting support to Wireshark.

  10. The PortAudio library enables audio output for RTP streams.

  11. The GeoIP library can be used to map IP addresses to geographical locations.

To build on a Unix-like operating system, you must have the GNU autoconf (2.52 or greater for the 1.0.x release, 2.60 or greater for later versions and the development release), automake (1.6 or later for the 1.0.x release, 1.9 tar-ustar for the later versions and the development release), and libtool (1.4 or greater) tools installed, as well as Perl. You may also need flex and bison. Run the autogen.sh script at the top-level wireshark directory to configure your build directory.

./autogen.sh
./configure [options]
make

Now it's time to tweak the code:

• doc/README.developer the best manual about Wireshark dissector development so far, you will also find that one in the doc directory of the Wireshark sources - please read and thoroughly understand all of the "Portability" and "Robustness" sections before writing any Wireshark code!

• ... of course you should have a look at the Wireshark sources itself!

General

• Wireshark documentation webpage: the latest version of the Wireshark User's Guide and the Wireshark Developer's Guide in different formats (PDF, HTML, ...)

• /LifeCycle: Life Cycle information on Wireshark releases

• /Roadmap: Roadmap for upcoming Wireshark releases

• /Wishlist: Wish list for internal features and architectural changes (as opposed to user-visible features WishList)

• /Translations: Why it's not a good idea to translate Wireshark into spanish/german/... language

Development

• SendingFilesToWireshark: Tips on sending files to the Wireshark mailing lists

• /SecureProgramming How to write more secure code, e.g. replace insecure ANSI-C calls by more secure ones

• /CommonProblems: Some common problems while developing Wireshark

• /DeprecatedFunctions: Some features now deprecated for new code

• /Tips: Some selected wisdom to ease development/debugging

• /MSVC7: Efforts to compile Wireshark using Microsoft VC7/.NET (or however it's really called)

• /CygwinGCC: Efforts to compile Wireshark using Cygwin's GCC

• /FilenameEncoding: the various Unicode and code page encodings of filenames in GLib

• Lua: Extending Wireshark with the extensible extension language

• /LibpcapFileFormat A libpcap file format description

• /Canary Finding and fixing memory over- and under-runs with canaries

• Generic dissector (http://wsgd.free.fr/) : display clearly your data inside wireshark without any code

• pyreshark: A Wireshark plugin providing a simple interface for writing dissectors in Python.

Projects

In progress

• /CustomColumnfication An ongoing project concerning predefined columns -> custom column migration

• /PrivilegeSeparation: A proposal to add privilege separation to Wireshark

• Mate: Meta Analysis and Tracing Engine

• /Security: Efforts to make Wireshark more secure

• /Examples: Example files, which are used by the various installers as default files

• EMEMification A Janitor project to audit and fix memory management and prevent memleaks.

• Removeold-styleASN.1code A project to remove old-style ASN.1 code

• /ExpertInfo: a better "user display" of network misbehaviour

• /PacketInput: how to get packet data into Wireshark in some "unusual" ways

• /OptimizePacketList: the packet list isn't optimized for the way we use it, could make a huge difference for large capture files

• /Update: Check version and Update Wireshark on a frequent basis

• /CSVExport: Formats and problems with exporting into the CSV format

• /multithreading: a list of what needs to be done in order to achieve it

• /SNMP: reworking of OID handling and SNMP dissector

• /Optimization: A patch for a faster but maybe slightly broken wireshark

• /FastFiltering: A patch for fast packet filtering interactively

• /PcapNg: Read/Write the "PCAP Next Generation Dump File Format" or pcapng

• Python : Extending Wireshark with Python

• ReplaceDeprecatedGtkGLibFunctionUsage: An ongoing project to replace use of deprecated GTK and GLib functions.

• GoingGTK3: A project to prepare the Shark to migrate from GTK+ 2 to GTK+ 3

• SharkTools: A project that provides "matshark" and "pyshark", which integrate Wireshark's packet dissection engine into Matlab and Python.

Completed

• /DropWin32GTK1: Thoughts about dropping GTK1 support on Win32

• /PatchHandling: Changing patch handling policy

Tools

• Asn2wrs: How to create a dissector using the ASN.1 compiler

• /WiresharkEnvCmd: A batch script to set environment variables useful for Windows development

• idl2wrs: CORBA IDL to Wireshark Plugin Generator idl2wrs

• FuzzTesting: tools to stress test protocol dissectors

• Pidl: A perl-based DCE/RPC IDL compiler (and Wireshark dissector generator) developed for Samba 4

• /CodeCoverage: check how much of your code is covered by the test cases

Discussion