Wireshark

  • Riverbed Technology
  • WinPcap
SHARKFEST '13 - Wireshark Developer and User Conference - June 16-19, 2013 - UC Berkeley
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] Understanding a file format with no underlying protocol information

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Gilbert Ramirez" <gram@xxxxxxxxxxxxxxx>
Date: Tue, 25 Jul 2006 09:09:38 -0500

There are some DLT values that are reserved for this type of
prototyping. From pcap-bpf.h:

#define DLT_USER0       147
#define DLT_USER1       148
#define DLT_USER2       149

...etc. But be sure to read the comment that precedes these
definitions; it's trivial to ask for your own DLT value, as Jeff
points out, if you need it.

wtap.h, in wiretap, also has WTAP_ENCAP_USER0, etc., definitions.

--gilbert

On 7/24/06, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:



Priyanka Kamath wrote:
> Hi All,
>
> I have a capture file which i am interested in showing on the Wireshark
> GUI. My capture file has info about only *one* protocol (proprietery)
> and no other protocol.I am planning to write a dissector for my file. I
> am confused as to how ethereal will call my dissector. My file has no
> data link information which ethereal may understand. Do i have to assign
> a DLT_ value for my protocol?
>
> According to my understanding, i need to do the following so that
> WIreshark understands my file format:
> 1. Assign a DLT_ value to it.
> 2. Write a parser which will convert it into pcap format (Something
> similar to text2pcap)
> 3. Write a dissector and register it with the wtap_encap table by
> calling dissector_add()
> Please do correct me if i am wrong. This is really really important. I
> have searched a lot on the net and found information about writing
> dissectors etc. I just want to know if i am on the right track.

Yes, you basically have 2 options:

- do like you suggest above (using the PCAP file format)
        - NOTE about (1): DLT_ values are controlled by the folks at
tcpdump.org .  You can't just assign any unused DLT_ value, you need to
ask for one to be assigned by emailing
tcpdump-workers[AT]lists.tcpdump.org .

- (or) write your own file format and then update Wireshark's wiretap
library to understand it (wiretap already understands many file formats
so there should be some good examples there to work from).
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
  • References:
    • [Wireshark-dev] Understanding a file format with no underlying protocol information
      • From: Priyanka Kamath
    • Re: [Wireshark-dev] Understanding a file format with no underlying protocol information
      • From: Jeff Morriss
  • Prev by Date: Re: [Wireshark-dev] Ethereal to Wireshark issues
  • Next by Date: Re: [Wireshark-dev] Ethereal to Wireshark issues
  • Previous by thread: Re: [Wireshark-dev] Understanding a file format with no underlying protocol information
  • Next by thread: [Wireshark-dev] conflict when built with OpenSSL on Mac OS X
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation