Using DTrace on OmniOS is not straightforward:
$ pfexec dtrace -n 'syscall:::'
dtrace: failed to initialize dtrace: DTrace device not available on system
Need to install both dtrace and dtrace/providers packages:
$ pfexec pkg install dtrace dtrace/providers
Now the DTrace module is loaded:
$ modinfo | grep dtrace
5 fffffffff8243000 1af28 280 1 dtrace (Dynamic Tracing)
Then it will work!
P.S., Thanks for Andy Fiddaman‘s help!
When processing pcapng file which have multiple interfaces, you may meet following errors:
pcap_next_ex() [an interface has a snapshot length 262144 different from the type of the first interface]
Then capinfos shows you there are multiple interfaces with different capture lengths:
$ capinfos test.pcapng
File name: test.pcapng
File type: Wireshark/... - pcapng
......
Number of interfaces in file: 2
Interface #0 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 1600
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 2474
Interface #1 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 13
One solution is to convert the pcapng to pcap file, then libpcap can process it:
tshark -F pcap -r test.pcapng -w test.pcapI want to build & debug tshark on CentOS 7 (No need GUI), and the first step is installing cmake3:
$ sudo yum install cmake3
Create a build directory under Wireshark source code, and Run following commands:
$ cd build
$ cmake3 -DBUILD_wireshark=OFF -DCMAKE_BUILD_TYPE=Debug ..
$ make
That’s it!
References:
How to build and install tshark without Wireshark?;
Wireshark docs.
I had a new requirement, i.e., duplicate the last packet in pcap file, and definitely, the timestamp of the packet needs to be modified. It is not hard, and just need to keep the previous packet information. Once meet the end of file, dump previous packet information with tweaked timestamp again. The code is available here.