pcapr backend

8 views
Skip to first unread message

harley

unread,
Sep 25, 2009, 5:07:00 PM9/25/09
to pcapr-forum
Hello,
I was wondering if someone can discuss the backnd parsing of pcapr.
Is tshark back there doing the application level parsing then the data
being fed up to the pcapr database? The reason I ask is because I'm
looking for a way to pull apart pcaps looking for specific things like
certain DNS A record requests or pulling out e-mail attachments
automatically. Any suggestions?


Thanks,
Harley

kowsik

unread,
Sep 25, 2009, 6:27:18 PM9/25/09
to pcapr...@googlegroups.com
Yup, we do use tshark to pipe the pcap through it and then pull out
the specific fields that we need. If all you want is to pull out
specific field types, then tshark supports command line arguments to
print out packets that match specific query criteria.

For things like email attachments (and application data), we use
custom stream assembly code to extract the attachments and display
them. You can see this at work by clicking on any TCP packet and
selecting 'Reassemble' from the Actions drop down. I dunno if tshark
supports attachment extraction easily. It's a very packet oriented
interface. Recommend that you check on the wireshark user group to see
if someone has ideas.

K.
Reply all
Reply to author
Forward
0 new messages