I have a project to add support for two new block types to Wireshark. This doesn't seem to be documented anywhere and so I'm hoping that my notes here may help someone in the future.
The objective of the project is to add Wireshark support for the display, filtering, etc. of text log data (machine data). The data is presented to Wireshark in a PCAP-NG file that contains two new block types:
* TSDB - Text Source Descriptor Block that defines the layout of the data records ** The data in the TSDB is used to define heading fields i.e. the heading fields aren't predefined as they typically are in dissectors, but rather defined at file load time (and cleared when the file is closed) ** This block is analogous to the Interface Descriptor Block found in a network packet capture * TRB - Text Record Block that contains the log record data
The initial data being used is Apache HTTPD Common format log records, but I'm designing the solution so that any format of log data can be supported. I've started with the Apache HTTPD log data as it is a fairly simple format; space separated variables in fixed columns.
Test PCAP-NG Generation
Of course, the above raises the question, "What creates the PCAP-NG file with the new blocks?". At this time I'm using the Babel function that comes with TribeLab Workbench. The project that should follow this one will be to write a Wiretap reader for log files.
Babel produces the PCAP-NG file like this:
log_file -----------------------------------> TRBs ^ | apache-common.xsd -----+--------------------> TSDB