Open JamesUsmar opened 6 years ago
jbsarrodie
commented
6 years ago Hi,
This seems interresting as I alread had similar needs in the past. Could you provide mode information (examples and/or specs on the web) about this Wireshark CSV format so that I can have a look at it ?
Regards,
JB
JamesUsmar
commented
6 years ago Hi,
(Apologies for the delay in responding)
Wireshark, once you have saved the initial trace as a PCAP file, offers you a 'File|Export as CSV' option. (Note bizarrely this Export option isn't offered until the trace is saved in it raw format.)
The WireShark CSV file structure is pretty simple and so far as I know hasn't changed in years. The content of the "info" field is where some added value (aka development) is needed to relate the source and target IP addresses to actual deployed "things". They then become your Archimate "Device(s)" to model. With a simple lookup of the numerous 'Protocols' etc you can infer "Nodes" into the model too, 'compound relating' them to the "devices". I suspect by default the "devices" are going be linked by 'association relationships'. I suspect that there wouldn't be enough understanding to define the relationship to a finer grain. The IP addresses, together with information gleamed from the "info" field, then all become "Property" decoration to the Archi objects.
My thinking goes that once you have this 'deployment model' foundation, you can apply the Architect human to the problem to build up the Architecture Model to deliver whatever benefits are being sought. Potentially cross linking a CMDB etc in to it as you would hope there is sufficient decorative "properties" to do that.
In answer to your question - I believe this may help (not it is from a Mirror on GitHub), sadly on my brief look I couldn't find all the permutations of all the "info" field vocabulary/thesaurus of what may be printed there:
https://github.com/wireshark/wireshark/search?utf8=%E2%9C%93&q=CSV+Export&type=
I was wondering if something better than this, UML swim lane view (link below), this could be achieved with an Archi Archimate Model automatically generated from the Wireshark CSV trace to expedite Architecture modelling/documentation of the "As-Is" (or even "To-Be" where 'Technical Debt' lags behind deployment, for business reasons!):
http://danlebrero.com/2017/04/06/documenting-your-architecture-wireshark-plantuml-and-a-repl/
Other areas you may want to review looking for more information:
https://wiki.wireshark.org/Development/LibpcapFileFormat https://www.wireshark.org/develop.html https://code.wireshark.org/review/Documentation/index.html https://www.wireshark.org/docs/wsug_html_chunked/ChIOExportSection.html https://wiki.wireshark.org/Development/CSVExport https://github.com/wireshark/wireshark/blob/5f667694d3bbd57f13c26d3588d5671dfd30d09a/doc/tshark.pod
(Note: Wireshark I believe predates GitHub, so they have a mirror only here. The source is hosted on a dedicated Git server with a wiki elsewhere as per the links above.)
Hope it helps gives you some thoughts.
Many Thanks. James Usmar.
From time to time I come to external systems that have become undocumented and no one really understands how they are plumbed together, or knows what the affect will be if a component 'building block' is changed... sound familiar to anyone else?
Sometimes in a technical approach to validating the "gap" I will turn to some old and trusted tools like Wireshark and the like. I can see value in rapid Architecture Development being able to take the output of these tools and processing them into Archi to generate an Architecture Deployment model.
I see that the Wireshark CSV export format is very similar to the relationship.csv Archi format and will a some development could readily be turned into a Archimate set of objects and relationships decorated with additional property information from the Wireshark capture.
Building models up through the CMDBs, and other sources has the problem that they are only as good as the person or machine which initially captured and so are prone to error etc.
I imagine that the Wireshark CSV "info" field is well specified somewhere, and this would be the lookup matrix to make some logical modelling assessments - so to help determine what are the elements, the element types, the element additional properties, the relations and relation types/directions.
Thoughts? Useful to others? Been looked at before?
Many thanks. James Usmar