Load an display a pcap file using the tshark utility.
To copy it yourself, simply:
git clone https://github.com/orgcandman/pcap-mode.gitIn your .emacs initialization, add the following:
(add-to-list 'load-path "/path/to/pcap-mode")
(require 'pcap-mode)Then, when you open any .pcap file, the tshark-executable will be
invoked against the filename, and the contents displayed in the buffer.
When pcap-mode initially completes, it will display a summary-line listing of the packets. This is comparable to the tshark output when run against the pcap file. Example:
The mode map (customizable via pcap-mode-map variable) is defaulted as
follows:
| Key | Function | Description |
|---|---|---|
| <return> | pcap-mode-view-pkt-contents | Pop up a separate buffer with the contents of a specific packet |
| c | pcap-mode-search-frames | Search frame contents |
| f | pcap-mode-set-tshark-filter | Change the buffer local display filter applied to the pcap file. |
| F | pcap-mode-set-named-filter | Choose a predefined filter and apply it. |
| g | pcap-mode-clear-filter | Clear the current filter. |
| q | anonymous call to kill-buffer | Destroys the pcap buffer and all open packet buffers. |
| r | pcap-mode-reload-file | Reload the current pcap buffer. |
| C-u f | pcap-mode-set-tshark-single-packet-filter | Change the command line settings passed when running against a single packet. |
| s | pcap-mode-set-tshark-single-packet-filter | Same as ‘C-u f’ keybind. |
| t | pcap-mode-toggle-conversation-view | Sets the tshark options to follow tcp streams. |
| C-u t | pcap-mode-toggle-conversation-view | Sets the tshark options to follow a specific type of stream (prompted) |
| C-c C-d | anonymous debug function | Display some debugging information |
The filters are “smart” and will remember previous values set, making switching between filters convenient.
The packet viewer is a call to pcap-mode--tshark-executable passing
the pcap-mode--tshark-single-packet-filter variable as well as the text
frame.number==%d where %d is replaced with the packet number.
Example:
The following hooks are exposed by pcap-mode:
| hook variable | Hook entry notes |
|---|---|
| pcap-mode-hook | Hook run when pcap-mode starts |
| pcap-mode-quit-hook | Hook run when pcap-mode window is closed. |
| pcap-mode-reloaded-hook | Hook run when the main pcap windows is reloaded |
The following customizable variables exist
| Variable Name | Description |
|---|---|
| pcap-mode-tshark-executable | Path to the tshark binary |
| pcap-mode-reload-pcap-when-filter-changes | Automatically reload pcap window buffer when changing filter |
| pcap-mode-tshark-filter | Filter used when reloading the pcap viewer window |
| pcap-mode-tshark-single-packet-filter | Filter used for single-packet viewing |
| pcap-mode-dfilters-file | Location of wireshark dfilters file containing predefined display filters. |
The following list of todos should be eliminated as they are completed.