My hacking project over the holiday is a network analyzer app for Mac OS X, which is similar in style and function to Wireshark, but it is written using the Cocoa frameworks. I considered just writing a Cocoa GUI for the existing Wireshark code, but that seems a little too hard, since Wireshark looks too closely tied to GTK.
Also, Wireshark doesn’t quite function like I want it to, when it comes to privileged access: when I want to run Wireshark or Ethereal (via DarwinPorts) I usually have to run it as root, which I don’t like doing, and using X11 on OS X works, but isn’t as nice. So, what Network Analyzer does is use the Security framework on OS X to gain privilege to read the packet filter interface, then forks off a helper program that does the actual packet sniffing. This works pretty well, since you only have to authenticate as administrator when doing the capture, not when looking at a capture.
The program can now capture traffic, and load previously-captured traffic. My TODO list is:
- Implement packet decoding, and finish the UI for handling it. I’d like to support the same packet-decoder plugins that Wireshark does, but I’m not sure how easy that will be. And, I’d like it if you could write decoder plugins in Objective-C.
- Allow capture files to be saved. The App uses the NSDocument framework, so this is pretty easy; I just haven’t gotten around to it yet.
- Add sensible copy support; like, you select some packets, or parts of them, and are able to copy the raw packet data selected into the clipboard. An alternative copy command for copying hex data would be nice, too.
- Add multiple packet selection. This way you can select multiple packets, and copy them as above.
- Make a better icon, and finish the toolbar.
This has been a fun project, so far. I like hacking with Xcode, because it makes so many tedious things really easy. If you are curious, check out the code. This is pre-alpha, so the functionality is pretty limited.
Update: I’ve made a binary release of the current functionality. This is not a complete program yet, but it should show the UI direction I’m working toward.
Loading...
Tom Tromey | 25-Dec-06 at 5:26 pm | Permalink
I’m curious to know what aspects of XCode you like.
csm | 25-Dec-06 at 6:11 pm | Permalink
I guess (after thinking about it) it isn’t just Xcode, but the holy trinity of Mac programming: (1) Xcode, (2) Interface Builder, and (3) the Cocoa frameworks. Xcode is nice for editing code, and for working with your project. It is well set up for managing what goes into your final “bundle” (an application, framework, etc.), has good integration with Subversion (not ideal, but good), and the project templates are actually good starting points for common types of project. Interface Builder is plain awesome for making user interfaces (I think there are similar tools for Java, and probably for other systems, but all of my GUI programming has been confined to doing it by hand with Swing, so this is heaven in comparison).
Cocoa is a really good set of frameworks for a lot of common tasks. It is targeted heavily at programming OS X GUI applications, but for that purpose, it works great. I also like the event loop/retain count programming model, where you cleanly divide object lifetimes into “only live this run of the loop” and “multiple loops.” The former goes into the autorelease pool, and gets collected at the end of the event loop. The latter does need the same care that manual memory-management needs, but not to quite the same degree. It feels like a good intermediate step between chaotic manual memory management, and full garbage collection.
Chevman | 25-Mar-07 at 3:39 pm | Permalink
Hey, this is very cool. I was looking for a packet analyzer for my mac and stumbled across your page.
One question - is there a way to view the actual web addresses that are being requested?
For example, there is some god awful flash page that I am trying to discern the actual addresses of the files being called behind it. When I run your program I get alot of captured data, but most of it looks like hexadecimal gibberish.
Any ideas?
csm | 01-Apr-07 at 5:13 pm | Permalink
@Chevman:
What is missing is a protocol dissector for HTTP, or whatever protocol the program you’re looking at is using. You should be able to see the addresses being connected to over TCP with Network Analyzer as it is now, though.
Also, lots of things aren’t done yet.