pcap-mode

pcap-mode copied to clipboard

• pcap-mode.el

Load an display a pcap file using the =tshark= utility.

To copy it yourself, simply:

#+NAME: setup_pcap_mode #+BEGIN_SRC sh git clone https://github.com/orgcandman/pcap-mode.git #+END_SRC

• Setup

In your =.emacs= initialization, add the following:

#+NAME: elisp-to-initialize #+BEGIN_SRC elisp (add-to-list 'load-path "/path/to/pcap-mode") (require 'pcap-mode) #+END_SRC

Then, when you open any .pcap file, the =tshark-executable= will be invoked against the filename, and the contents displayed in the buffer.

• Normally working with pcap-mode

When pcap-mode initially completes, it will display a summary-line listing of the packets. This is comparable to the tshark output when run against the pcap file. Example:

[[https://github.com/orgcandman/pcap-mode/blob/master/extra/pcapmode-core.png][file:extra/pcapmode-core.png]]

The mode map (customizable via =pcap-mode-map= variable) is defaulted as follows:

| Key | Function | Description | |----------+-------------------------------------------+-------------------------------------------------------------------------------| | | pcap-mode-view-pkt-contents | Pop up a separate buffer with the contents of a specific packet | | c | pcap-mode-search-frames | Search frame contents | | f | pcap-mode-set-tshark-filter | Change the buffer local display filter applied to the pcap file. | | F | pcap-mode-set-named-filter | Choose a predefined filter and apply it. | | g | pcap-mode-clear-filter | Clear the current filter. | | q | anonymous call to kill-buffer | Destroys the pcap buffer and all open packet buffers. | | r | pcap-mode-reload-file | Reload the current pcap buffer. | | C-u f | pcap-mode-set-tshark-single-packet-filter | Change the command line settings passed when running against a single packet. | | s | pcap-mode-set-tshark-single-packet-filter | Same as 'C-u f' keybind. | | t | pcap-mode-toggle-conversation-view | Sets the tshark options to follow tcp streams. | | C-u t | pcap-mode-toggle-conversation-view | Sets the tshark options to follow a specific type of stream (prompted) | | C-c C-d | anonymous debug function | Display some debugging information |

The filters are "smart" and will remember previous values set, making switching between filters convenient.

The packet viewer is a call to =pcap-mode--tshark-executable= passing the =pcap-mode--tshark-single-packet-filter= variable as well as the text frame.number==%d where %d is replaced with the packet number.

Example:

[[https://github.com/orgcandman/pcap-mode/extra/pcapmode-packet.png][file:extra/pcapmode-packet.png]]

• Hooks and variables

The following hooks are exposed by pcap-mode:

| hook variable | Hook entry notes | |-------------------------+-------------------------------------------------| | pcap-mode-hook | Hook run when pcap-mode starts | | pcap-mode-quit-hook | Hook run when pcap-mode window is closed. | | pcap-mode-reloaded-hook | Hook run when the main pcap windows is reloaded |

The following customizable variables exist | Variable Name | Description | |-------------------------------------------+----------------------------------------------------------------------------| | pcap-mode-tshark-executable | Path to the tshark binary | | pcap-mode-reload-pcap-when-filter-changes | Automatically reload pcap window buffer when changing filter | | pcap-mode-tshark-filter | Filter used when reloading the pcap viewer window | | pcap-mode-tshark-single-packet-filter | Filter used for single-packet viewing | | pcap-mode-dfilters-file | Location of wireshark dfilters file containing predefined display filters. |

• TODOS

The following list of todos should be eliminated as they are completed.

** Syntax table to make the list view pretty

** Unit tests? Maybe?

** display filter building wizard