Wireshark-dev: Re: [Wireshark-dev] Understanding a file format with no underlying protocol information
: "Gilbert Ramirez" <gram@xxxxxxxxxxxxxxx
: Tue, 25 Jul 2006 09:09:38 -0500
There are some DLT values that are reserved for this type of
prototyping. From pcap-bpf.h:
#define DLT_USER0 147
#define DLT_USER1 148
#define DLT_USER2 149
...etc. But be sure to read the comment that precedes these
definitions; it's trivial to ask for your own DLT value, as Jeff
points out, if you need it.
wtap.h, in wiretap, also has WTAP_ENCAP_USER0, etc., definitions.
On 7/24/06, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:
Priyanka Kamath wrote:
> Hi All,
> I have a capture file which i am interested in showing on the Wireshark
> GUI. My capture file has info about only *one* protocol (proprietery)
> and no other protocol.I am planning to write a dissector for my file. I
> am confused as to how ethereal will call my dissector. My file has no
> data link information which ethereal may understand. Do i have to assign
> a DLT_ value for my protocol?
> According to my understanding, i need to do the following so that
> WIreshark understands my file format:
> 1. Assign a DLT_ value to it.
> 2. Write a parser which will convert it into pcap format (Something
> similar to text2pcap)
> 3. Write a dissector and register it with the wtap_encap table by
> calling dissector_add()
> Please do correct me if i am wrong. This is really really important. I
> have searched a lot on the net and found information about writing
> dissectors etc. I just want to know if i am on the right track.
Yes, you basically have 2 options:
- do like you suggest above (using the PCAP file format)
- NOTE about (1): DLT_ values are controlled by the folks at
tcpdump.org . You can't just assign any unused DLT_ value, you need to
ask for one to be assigned by emailing
- (or) write your own file format and then update Wireshark's wiretap
library to understand it (wiretap already understands many file formats
so there should be some good examples there to work from).
Wireshark-dev mailing list