Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Understanding a file format with no underlying protocol info

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Gilbert Ramirez" <gram@xxxxxxxxxxxxxxx>
Date: Tue, 25 Jul 2006 09:09:38 -0500
There are some DLT values that are reserved for this type of
prototyping. From pcap-bpf.h:

#define DLT_USER0       147
#define DLT_USER1       148
#define DLT_USER2       149

...etc. But be sure to read the comment that precedes these
definitions; it's trivial to ask for your own DLT value, as Jeff
points out, if you need it.

wtap.h, in wiretap, also has WTAP_ENCAP_USER0, etc., definitions.

--gilbert

On 7/24/06, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:



Priyanka Kamath wrote:
> Hi All,
>
> I have a capture file which i am interested in showing on the Wireshark
> GUI. My capture file has info about only *one* protocol (proprietery)
> and no other protocol.I am planning to write a dissector for my file. I
> am confused as to how ethereal will call my dissector. My file has no
> data link information which ethereal may understand. Do i have to assign
> a DLT_ value for my protocol?
>
> According to my understanding, i need to do the following so that
> WIreshark understands my file format:
> 1. Assign a DLT_ value to it.
> 2. Write a parser which will convert it into pcap format (Something
> similar to text2pcap)
> 3. Write a dissector and register it with the wtap_encap table by
> calling dissector_add()
> Please do correct me if i am wrong. This is really really important. I
> have searched a lot on the net and found information about writing
> dissectors etc. I just want to know if i am on the right track.

Yes, you basically have 2 options:

- do like you suggest above (using the PCAP file format)
        - NOTE about (1): DLT_ values are controlled by the folks at
tcpdump.org .  You can't just assign any unused DLT_ value, you need to
ask for one to be assigned by emailing
tcpdump-workers[AT]lists.tcpdump.org .

- (or) write your own file format and then update Wireshark's wiretap
library to understand it (wiretap already understands many file formats
so there should be some good examples there to work from).
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube