https://github.com/apconole/pcap-mode

emacs lisp pcap file viewer
https://github.com/apconole/pcap-mode

Last synced: 3 months ago
JSON representation

emacs lisp pcap file viewer

• Host: GitHub
• URL: https://github.com/apconole/pcap-mode
• Owner: apconole
• License: gpl-2.0
• Created: 2016-08-16T23:12:18.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2016-10-25T14:50:46.000Z (over 8 years ago)
• Last Synced: 2024-08-02T01:26:13.154Z (6 months ago)
• Language: Emacs Lisp
• Size: 181 KB
• Stars: 60
• Watchers: 4
• Forks: 5
• Open Issues: 1
• Metadata Files:
  • Readme: README.org
  • License: COPYING

Awesome Lists containing this project

README

        
* pcap-mode.el

Load an display a pcap file using the =tshark= utility.

To copy it yourself, simply:

#+NAME: setup_pcap_mode

#+BEGIN_SRC sh

 git clone https://github.com/orgcandman/pcap-mode.git

#+END_SRC

* Setup

In your =.emacs= initialization, add the following:

#+NAME: elisp-to-initialize

#+BEGIN_SRC elisp

(add-to-list 'load-path "/path/to/pcap-mode")

(require 'pcap-mode)

#+END_SRC

Then, when you open any .pcap file, the =tshark-executable= will be 

invoked against the filename, and the contents displayed in the buffer.

* Normally working with pcap-mode

When pcap-mode initially completes, it will display a summary-line listing of

the packets.  This is comparable to the tshark output when run against the

pcap file.  Example:

[[https://github.com/orgcandman/pcap-mode/blob/master/extra/pcapmode-core.png][file:extra/pcapmode-core.png]]

The mode map (customizable via =pcap-mode-map= variable) is defaulted as 

follows:

| Key      | Function                                  | Description                                                                   |

|----------+-------------------------------------------+-------------------------------------------------------------------------------|

|  | pcap-mode-view-pkt-contents               | Pop up a separate buffer with the contents of a specific packet               |

| c        | pcap-mode-search-frames                   | Search frame contents                                                         |

| f        | pcap-mode-set-tshark-filter               | Change the buffer local display filter applied to the pcap file.              |

| F        | pcap-mode-set-named-filter                | Choose a predefined filter and apply it.                                      |

| g        | pcap-mode-clear-filter                    | Clear the current filter.                                                     |

| q        | anonymous call to kill-buffer             | Destroys the pcap buffer and all open packet buffers.                         |

| r        | pcap-mode-reload-file                     | Reload the current pcap buffer.                                               |

| C-u f    | pcap-mode-set-tshark-single-packet-filter | Change the command line settings passed when running against a single packet. |

| s        | pcap-mode-set-tshark-single-packet-filter | Same as 'C-u f' keybind.                                                      |

| t        | pcap-mode-toggle-conversation-view        | Sets the tshark options to follow tcp streams.                                |

| C-u t    | pcap-mode-toggle-conversation-view        | Sets the tshark options to follow a specific type of stream (prompted)        |

| C-c C-d  | anonymous debug function                  | Display some debugging information                                            |

The filters are "smart" and will remember previous values set, making 

switching between filters convenient.

The packet viewer is a call to =pcap-mode--tshark-executable= passing 

the =pcap-mode--tshark-single-packet-filter= variable as well as the text 

*frame.number==%d* where %d is replaced with the packet number.

Example:

[[https://github.com/orgcandman/pcap-mode/extra/pcapmode-packet.png][file:extra/pcapmode-packet.png]]

* Hooks and variables

The following hooks are exposed by pcap-mode:

| hook variable           | Hook entry notes                                |

|-------------------------+-------------------------------------------------|

| pcap-mode-hook          | Hook run when pcap-mode starts                  |

| pcap-mode-quit-hook     | Hook run when pcap-mode window is closed.       |

| pcap-mode-reloaded-hook | Hook run when the main pcap windows is reloaded |

The following customizable variables exist

| Variable Name                             | Description                                                                |

|-------------------------------------------+----------------------------------------------------------------------------|

| pcap-mode-tshark-executable               | Path to the tshark binary                                                  |

| pcap-mode-reload-pcap-when-filter-changes | Automatically reload pcap window buffer when changing filter               |

| pcap-mode-tshark-filter                   | Filter used when reloading the pcap viewer window                          |

| pcap-mode-tshark-single-packet-filter     | Filter used for single-packet viewing                                      |

| pcap-mode-dfilters-file                   | Location of wireshark dfilters file containing predefined display filters. |

* TODOS

The following list of todos should be eliminated as they are completed.

** Syntax table to make the list view pretty

** Unit tests? Maybe?

** display filter building wizard