> When storing events for later post-processing, the packets' journeys can be reconstructed: [...]
> Retis offers many more features including retrieving conntrack information, advanced filtering, monitoring dropped packets and dropped packets from Netfilter, generating pcap files from the collected packets, allowing writing post-processing scripts in Python and more.
Would syntax highlighting be a useful general feature, or should that be a post-processing script in e.g. Python?
It would definitely be useful. This is part of the plan and we started exploring different possibilities (early stage, at the moment).
Thank you for the feedback and for filing the feature request on GH.
I'm sure this could be implemented using the Python bindings as the stored events contain the raw packet. Pcap conversion can also be used (it uses the same raw packet) for reusing existing tools like Wireshark and (I'm not familiar with that but I guess that would work) existing custom protocol dissectors.
the pcap-ng file will contain packets (l2/l3/l4 and so forth, but up to 255 bytes), each annotated with a comment that tells you from what kernel function or tracepoint the packet was "captured" from.
For the time being you can generate pcapng files filtering packets based on a single probe (e.g. all filtered/tracked packets hitting `net:net_dev_start_xmit`).
You can then use wireshark (or any tool you prefer) to dissect and further process. Custom dissectors should not be required.
yep.
For Wireshark/Tshark, display filters (including "frame.comment contains ...") can be used as usual.
Of course, if your pcap file contains only frames with the same comment, that expression is not particularly useful, but you can merge multiple files with e.g. mergecap.
The pcap subcommand, though, will be extended to allow extracting packets from multiple probes in a single run.
Two other projects in the same vein:
https://github.com/YutaroHayakawa/ipftrace2
https://github.com/cilium/pwru
> When storing events for later post-processing, the packets' journeys can be reconstructed: [...]
> Retis offers many more features including retrieving conntrack information, advanced filtering, monitoring dropped packets and dropped packets from Netfilter, generating pcap files from the collected packets, allowing writing post-processing scripts in Python and more.
Would syntax highlighting be a useful general feature, or should that be a post-processing script in e.g. Python?
It would definitely be useful. This is part of the plan and we started exploring different possibilities (early stage, at the moment). Thank you for the feedback and for filing the feature request on GH.
Hey np. Also,
Wireshark and also tshark iirc support custom protocol dissectors;
"How can I add a custom protocol analyzer to wireshark?" https://stackoverflow.com/questions/4904991/how-can-i-add-a-...
What can the pcap files contain?
I'm sure this could be implemented using the Python bindings as the stored events contain the raw packet. Pcap conversion can also be used (it uses the same raw packet) for reusing existing tools like Wireshark and (I'm not familiar with that but I guess that would work) existing custom protocol dissectors.
the pcap-ng file will contain packets (l2/l3/l4 and so forth, but up to 255 bytes), each annotated with a comment that tells you from what kernel function or tracepoint the packet was "captured" from. For the time being you can generate pcapng files filtering packets based on a single probe (e.g. all filtered/tracked packets hitting `net:net_dev_start_xmit`). You can then use wireshark (or any tool you prefer) to dissect and further process. Custom dissectors should not be required.
Can Wireshark parse comments in pcapng files, even with a dissector?
/? ' https://www.google.com/search?q=Can+Wireshark+parse+comments... :
And there's apparently a way to add a custom column to display frame.comment from pcapng traces in wiresharkyep. For Wireshark/Tshark, display filters (including "frame.comment contains ...") can be used as usual. Of course, if your pcap file contains only frames with the same comment, that expression is not particularly useful, but you can merge multiple files with e.g. mergecap.
The pcap subcommand, though, will be extended to allow extracting packets from multiple probes in a single run.
Sounds interesting. I once had a similar idea to trace / debug firewall rules but wanted to use Usermode Linux for full control of in/out packets.