Is there a function in Wireshark which I can use to decode packets in a memory buffer rather than a capture file?

I have been reading the docs that come with Wireshark along with analyzing the source to figure out if there is a function or collection of functions in Wireshark which would allow me to pass a buffer containing capture data (rather than using an external file).

I asked this question on the Wireshark-dev list as well, but had no responses.

As far as I understand, you tell Wireshark where to look for packets (in terms of a file, pipe or socket) and it tells you whenever it's got a packet from that stream, so my gut feeling is that there isn't a way to pass a pointer to a buffer containing capture data and have Wireshark parse whatever it can find there.

However, I am by no means an expert on the internals of Wireshark, so I am loo开发者_高级运维king to SO to help me figure out a definitive answer. Thank you.

Have you tried creating a new tvbuff_t as TVBUFF_REAL_DATA and providing your memory region as the data parameter?

tvbuff_t *tvb = tvb_new_real_data(mem_buffer_ptr, mem_buf_length, mem_buf_length);
//mem_buffer_ptr is your memory buffer
//mem_buf_length is the number of bytes in your buffer

Wireshark historically does not play well with other applications, so whether this will work or not is questionable, especially if you think your data may change while it is being dissected. Is it not possible to write out a temporary file?