I've checked in the DLT_USERXX exactly to workarround this kind of
issues, I generate h248 only pcap files from logs set the DLT to one
of the user dlts thyen I configure DLT_USERXX to use a the h248
dissector to handle the payload of the file. Works OK for me.
The issue here is also that none of the DTAP dissectors (neither GSM
nor ANSI) are currently registered by name that makes this tecnique
unapplicable to the specific case.
On the other hand to register gsm_a_dtap by name is just "2 lines of
code in a file" away... to register all the dissectors by name would
few hundred lines of code in few hundred files.
Luis.
On 6/15/05, Guy Harris <gharris@xxxxxxxxx> wrote:
> ken williams wrote:
>
> > I tried some of the captures on the link that you suggested and they were
> > decoded once I had enabled the protocols.
>
> OK, so the reason why it reported a WTAP_ENCAP value of 1 as UNKNOWN is
> that it *was* unknown - you'd presumably disabled the Ethernet protocol.
>
> > Now let me see if I have got this right.
> > text2pcap uses the library Wiretap in order to interpret the protocols
>
> No.
>
> text2pcap writes out a libpcap-format file, which means that the
> link-layer protocols it can handle are those supported by the libpcap
> file format.
>
> The files are then read, in Ethereal (and Tethereal, and some of the
> utilities that come with Ethereal), by the Wiretap library. That
> library can also read a number of non-libpcap capture file formats, and
> support can be added for additional capture file formats.
>
> > and that the gsm protocols are not in the library
>
> There are two issues here:
>
> 1) there is no libpcap link-layer protocol code for any GSM protocol
>
> and
>
> 2) there is no Wiretap encapsulation code for any GSM protocol.
>
> > and therefor it will not work.
> > I need to add gsm support to the library in order to use the text2pcap program.
>
> At minimum, you need to add a Wiretap encapsulation code for whatever
> GSM protocol is at the link layer in your trace file.
>
> However, that's not sufficient, if you're using text2pcap. You would
> also need to request a new link-layer protocol code (called a DLT_
> value, as the names begin with DLT_) from tcpdump.org by sending mail to
> tcpdump-workers@xxxxxxxxxxx, and, once you've gotten that (which should
> happen fairly quickly if you indicate what protocol it is, so that we
> can find the specification for the protocol), you would have to add to
> the Wiretap code for reading libpcap files (or, rather, to the table it
> uses for mapping DLT_ values to Wiretap encapsulation codes) a mapping
> from the new DLT_ value and the new Wiretap encapsulation code.
>
> If, rather than using text2pcap, you added to Wiretap the ability to
> directly read the proprietary traces, you'd only need to have the code
> to read those traces return the new encapsulation code value for
> captures using that GSM protocol.
>
> In either case, you would then have to have the dissector for that GSM
> protocol register itself in the "wtap_encap" dissector table with the
> new Wiretap encapsulation code (assuming such a dissector exists; if it
> doesn't, you'd have to write one and add it to Ethereal).
>
> > I assume then that text2pcap adds a protocol identifier in the pcap file.
>
> As text2pcap writes libpcap files, and as libpcap files have, in the
> file header, a DLT_ value indicating the link-layer protocol for the
> packets in the file.
>
> > I am using a binary distro for windows at the moment but am attempting to build
> > ethereal on linux at home so that I can debug.
>
> If you are going to do any of the stuff I mention above, you will *have*
> to be able to build Ethereal on whatever platforms you will be using it
> to read your mobile phone traces, as that stuff involves changing the
> source code and rebuilding Ethereal.
>
> Note that if you don't contribute the changes back to us, you will have
> to maintain them yourself, and merge them into your private version of
> Ethereal whenever you pick up a new release of Ethereal.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
