tqcq/ai-skill-pcap-analysis
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Activity
7 Commits 1 Branch 0 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
tqcq 4b74d270f3
Build Static tshark / build (aarch64, linux/arm64) (push) Failing after 4s
Details
Build Static tshark / build (x86_64, linux/amd64) (push) Failing after 5s
Details
Build Static tshark / release (push) Has been skipped
Details
SKILL.md: MUST/MUST NOT rules, skill-relative binary paths 
- Restructure rules as explicit MUST / MUST NOT sections
- MUST: deploy before use, never fall back to system tshark
- MUST NOT: use system tshark, deploy to system paths, split by time
- Binary source: skill's own bin/ dir (not hardcoded absolute path)
- AGENTS.md: add Skill Compliance section enforcing skill MUST/MUST NOT
2026-04-24 11:13:06 +08:00
.gitea/workflows
Rename to tshark-sa, remove pcap-analyzer, add README
2026-04-24 10:13:50 +08:00
scripts
Rename to tshark-sa, remove pcap-analyzer, add README
2026-04-24 10:13:50 +08:00
.gitignore
Initial commit: static tshark build system for x86_64 and aarch64
2026-04-24 09:30:03 +08:00
README.md
Rename to tshark-sa, remove pcap-analyzer, add README
2026-04-24 10:13:50 +08:00
SKILL.md
SKILL.md: MUST/MUST NOT rules, skill-relative binary paths
2026-04-24 11:13:06 +08:00

README.md

ai-skill-pcap-analysis

Fully static tshark binary for zero-dependency network packet analysis on any Linux machine.

What's This

A build system that produces statically linked tshark binaries from Wireshark 4.6.1 source, targeting x86_64 and aarch64 Linux. No shared libraries, no package dependencies — copy and run.

The binary is named tshark-sa (static-analysis) to avoid conflicts with system-installed tshark.

Binaries

Download from CI artifacts or releases:

Architecture Binary Size
x86_64 tshark-sa-x86_64 ~140MB
aarch64 tshark-sa-aarch64 ~139MB 
# Deploy
chmod +x tshark-sa-x86_64
ln -sf tshark-sa-x86_64 /usr/local/bin/tshark-sa
tshark-sa --version

Features

Supported (Current Build)

Feature Status Details
Protocol dissectors 3043 protocols
Lua 5.4 scripting Custom dissectors, taps, analysis
Display filters Full Wireshark filter syntax
BPF capture filters Kernel-level filtering
TCP stream reassembly follow,tcp
Protocol statistics io,phs, conv,*, endpoints,*
JSON/CSV output -T json, -T fields
HTTP object extraction --export-objects
Expert info Anomalies, warnings, errors
DNS/SIP/RTP/RTSP analysis Video streaming protocols
Live capture libpcap built-in
Static linking Zero dependencies, single binary
Stripped binary Minimized size

Pending (Planned)

Feature Priority Notes
GnuTLS (TLS decryption) High Enables SSLKEYLOGFILE decryption
nghttp2 (HTTP/2) High Modern web traffic analysis
Brotli + Zstd + LZ4 High Content decompression
MaxMindDB (GeoIP) High IP geolocation lookups
Kerberos Medium KRB5/GSS-API dissection
SBC codec Low Bluetooth audio
bcg729 codec Low VoIP G.729
Opus codec Low VoIP Opus

TODO — Companion Tools to Static Build

These tools are currently expected from system packages. Plan to build them statically too:

  • editcap — PCAP manipulation (split, merge, dedup, time-range)
  • capinfos — PCAP metadata (packet count, duration, file size)
  • mergecap — Merge multiple PCAP files chronologically
  • text2pcap — Convert hex dump to PCAP
  • dumpcap — Lightweight capture daemon
  • sharkd — Shark daemon (API-based analysis)
  • randpkt — Random packet generator (testing)

Build System

Repository Structure

.
├── .gitea/workflows/build.yml   # CI: multi-arch build
├── scripts/
│   ├── download-sources.sh      # Download & cache Wireshark source
│   ├── build-deps.sh            # Build all static dependencies
│   └── build-tshark.sh          # Configure + build tshark-sa
├── SKILL.md                     # opencode skill (usage documentation)
├── .gitignore
└── README.md

Build Locally

# Phase 1: Download source (cached)
bash scripts/download-sources.sh 4.6.1

# Phase 2: Build dependencies (cached)
docker run --rm \
  -v "$(pwd)/src-cache:/build/src-cache" \
  -v "$(pwd)/deps-cache:/opt/static-deps" \
  -e SRC_CACHE=/build/src-cache \
  alpine:3.23 sh -c '
    apk add --no-cache build-base cmake meson ninja perl python3 flex bison pkgconf curl tar xz
    bash scripts/build-deps.sh
  '

# Phase 3: Build tshark-sa
docker run --rm \
  -v "$(pwd)/src-cache:/build/src-cache" \
  -v "$(pwd)/deps-cache:/opt/static-deps" \
  -v "$(pwd)/output:/build/output" \
  -e SRC_CACHE=/build/src-cache \
  alpine:3.23 sh -c '
    apk add --no-cache build-base cmake perl python3 flex bison pkgconf git binutils
    cd /build && bash scripts/build-tshark.sh
  '

Cross-compile for aarch64

Add --platform linux/arm64 to docker run. Requires QEMU:

docker run --rm --platform linux/arm64 ...

Static Dependencies

All built from source with -fPIC -O3 -funroll-loops:

Library Version Purpose
zlib 1.3.1 Compression
GLib 2.86.3 Core framework
GObject 2.86.3 Type system
GIO 2.86.3 I/O abstraction
libffi 3.4.7 Foreign function interface
libgcrypt 1.11.2 Crypto
libgpg-error 1.51 Error codes
c-ares 1.34.6 DNS resolution
PCRE2 10.44 Regex
libxml2 2.13.9 XML parsing
Lua 5.4.8 Scripting
libpcap 1.10.5 Packet capture
speexdsp 1.2.1 Audio DSP

License

Wireshark is GPL-2.0-or-later. The statically linked binary inherits this license. Build scripts and SKILL.md are provided as-is.

Reference in New Issue View Git Blame Copy Permalink
S
Description
-
Readme 54 KiB
Languages
Shell 100%