Split tcpdump in files per packet / editcap wanted

I did a make clean and re-downloaded the wireshark.
Removing all dependencies from the wireshark Makefile didn't work, I needed to keep glib2.
I also changed it to only make my editcap.

Then I created the packages again.
The resulting .ipk is 12.991.329 bytes, so still very large. Inside the ipk I only see the editcap binary and .so files.

./usr/
./usr/bin/
./usr/bin/editcap
./usr/lib/
./usr/lib/libwireshark.so
./usr/lib/libwireshark.so.8
./usr/lib/libwireshark.so.8.0.1
./usr/lib/libwiretap.so
./usr/lib/libwiretap.so.6
./usr/lib/libwiretap.so.6.0.1
./usr/lib/libwsutil.so
./usr/lib/libwsutil.so.7
./usr/lib/libwsutil.so.7.0.0
So I don't think it can be made smaller.

Here's the complete Makefile that I used:

Copyright (C) 2007-2011 OpenWrt.org

This is free software, licensed under the GNU General Public License v2.

See /LICENSE for more information.

include $(TOPDIR)/rules.mk

PKG_NAME:=wireshark
PKG_VERSION:=2.2.1
PKG_RELEASE:=5

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_MD5SUM:=49a1023a69ac108ca089d750eee50e37
PKG_SOURCE_URL:=https://www.wireshark.org/download/src/

PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=COPYING

PKG_FIXUP:=autoreconf

include $(INCLUDE_DIR)/package.mk

define Package/wireshark
SECTION:=net
CATEGORY:=Network
URL:=http://www.wireshark.org/
TITLE:=Network monitoring and data tool
DEPENDS:=+glib2
endef

CONFIGURE_ARGS+=
--disable-tshark
--disable-dumpcap
--disable-setuid-install
--disable-gtk2
--disable-androiddump
--disable-randpktdump
--disable-ipv6
--without-lua
--disable-glibtest
--without-plugins
--disable-wireshark
--disable-gtktest
--enable-editcap
--disable-capinfos
--disable-mergecap
--disable-text2pcap
--disable-idl2wrs
--disable-dftest
--disable-randpkt

TARGET_CFLAGS += -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections

CONFIGURE_VARS +=
BUILD_CC="$(TARGET_CC)"
HOSTCC="$(HOSTCC)"
td_cv_buggygetaddrinfo=no
ac_cv_linux_vers=$(LINUX_VERSION)
ac_cv_header_rpc_rpcent_h=no
ac_cv_lib_rpc_main=no
ac_cv_path_PCAP_CONFIG=""

MAKE_FLAGS +=
CCOPT="$(TARGET_CFLAGS)" INCLS="-I. $(TARGET_CPPFLAGS)"

define Build/Compile
cd $(PKG_BUILD_DIR)/tools/lemon&&make
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
DESTDIR="$(PKG_INSTALL_DIR)"
CC="$(TARGET_CC)"
install
endef

define Package/wireshark/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/editcap $(1)/usr/bin/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib
endef

$(eval $(call BuildPackage,wireshark))

1 Like

[quote="supersjimmie, post:21, topic:341, full:true"]
I did a make clean and re-downloaded the wireshark.
Removing all dependencies from the wireshark Makefile didn't work, I needed to keep glib2.
I also changed it to only make my editcap.

Then I created the packages again.
The resulting .ipk is 12.991.329 bytes, so still very large. Inside the ipk I only see the editcap binary and .so files.

./usr/
./usr/bin/
./usr/bin/editcap
./usr/lib/
./usr/lib/libwireshark.so
./usr/lib/libwireshark.so.8
./usr/lib/libwireshark.so.8.0.1
./usr/lib/libwiretap.so
./usr/lib/libwiretap.so.6
./usr/lib/libwiretap.so.6.0.1
./usr/lib/libwsutil.so
./usr/lib/libwsutil.so.7
./usr/lib/libwsutil.so.7.0.0

So I don't think it can be made smaller.
[/quote]Well, you can look in the wireshark sources to see if you really need these libs for editcap, or simply install the package as-is, then you rename the libraries one at a time (first libwireshark and friends, then libwiretap and friends, and so on) and see if editcap breaks or not (again the battle-tested method).

then you can alter the
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib
line to load only the libraries needed by editcap.

But still, this is probably not crucial, your device has 32MiB flash and a couple usb ports you can attach a flash drive to expand the firmware storage space into, you might want to do that anyway for other reasons too, see here

1 Like

Just a first result.
It installed fine, but also needed to install glib2, libffi and libattr. (those where automatically installed as dependencies).
My free space on overlay dropped roughly 15Mb, from 20 to only 5 now... (time for more cleanup or the extroot)

editcap --help works. :slight_smile:

EDIT: moved all extra's from /usr/lib to /tmp but then editcap fails on libwiretap and libwsutil. So I moved those back.
Only libwireshark files are still at /tmp and it works, so those are not needed. These files are LARGE, so that freed a lot. Looks like my free overlay space increased from 5 back to 19 now! Which means I am only using about 1-2Mb. :smiley:

Good, that line becomes:
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libwiretap*.so* $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libwsutil*.so* $(1)/usr/lib

so only the needed libraries are loaded in the package. Unless you add some other options the build system will still compile the libwireshark library, although it's not getting in the package anymore.

I believe there are also --disable-... options to exclude more, so I will also take a look at that.
For now my time to spend has finished, next available time will be in a few days...

I'd say to not sink much more time in tuning this (you have a system that generates the package you needed and it is of a reasonable size).
Unless you want to turn wireshark in a proper LEDE/OpenWRT multi-package you can then send (and become the maintainer of) in the community package feeds, of course. :slight_smile:

Most makefiles in there split up each tool and each library in their own package (usually), so people can install only tool X and its libraries (or pull down everything if they don't have space issues).

see for example BlueZ's makefile (will build all BlueZ packages, bluetooth tools, libraries, daemon, examples)

I recreated the package and it is now about 221kb.

Too bad...
When do editcap --help it just works.
But when I do an actual editcap file.cap output it comes with a Segmentation fault (nothing else)

Any ideas how to start tracking this?

add again the libs you removed and see if it works with them.

Nope, I removed and reinstalled the ipk (to be sure I wouldn't miss anything) but the result is the same.

I have tcpdump installed (to capture), and also a libpcap lib is installed (installed by/for tcpdump).
To see if that conflicts, I removed tcpdump and libpcap.
But still no result.

Then I recompiled it, but now I removed a lot of '--without-xxx' lines (to make it more default) and I reverted the dependencies line to the original. I also re-added the --enable-tshark.
Now editcap works. Even after I delete the huge libwireshark library (all together is larger than before, but it's good enough for me).

Hm, sounds like an upstream issue then.
Wireshark either needs a build dependency that isn't stated in the configuration (fixed by reverting the dependencies like the original OpenWRT package makefile), or some of the '--without-xxx' commands break stuff (these commands do things specified in wireshark's upstream makefile, not in OpenWRT package makefile).