It would definitely be useful. This is part of the plan and we started exploring different possibilities (early stage, at the moment).
Thank you for the feedback and for filing the feature request on GH.
I'm sure this could be implemented using the Python bindings as the stored events contain the raw packet. Pcap conversion can also be used (it uses the same raw packet) for reusing existing tools like Wireshark and (I'm not familiar with that but I guess that would work) existing custom protocol dissectors.
the pcap-ng file will contain packets (l2/l3/l4 and so forth, but up to 255 bytes), each annotated with a comment that tells you from what kernel function or tracepoint the packet was "captured" from.
For the time being you can generate pcapng files filtering packets based on a single probe (e.g. all filtered/tracked packets hitting `net:net_dev_start_xmit`).
You can then use wireshark (or any tool you prefer) to dissect and further process. Custom dissectors should not be required.
yep.
For Wireshark/Tshark, display filters (including "frame.comment contains ...") can be used as usual.
Of course, if your pcap file contains only frames with the same comment, that expression is not particularly useful, but you can merge multiple files with e.g. mergecap.
The pcap subcommand, though, will be extended to allow extracting packets from multiple probes in a single run.
