ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Dissecting of Raw QSig over LAPD

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 21 Oct 2007 10:20:45 -0700
Varuna De Silva wrote:
I got a new DLT_ value for raw LAPD from tcpdump.org <http://tcpdump.org> i.e 203; 

I was advised earlier by the WireShark Dev as below

__________________________________________________________

 > If you can't use the Linux LAPD DLT (even by faking the headers?)
__________________________________________________________

Where Can I know how to fake the headers?
The pseudo-header is 16 bytes long; the 2 bytes at an offset of 14 from the beginning of the header are a big-endian number which must have the value 0x0030, the first 2 bytes of the header are a big-endian number that gives an indication of the direction on which the packet is going, and the byte at an offset of 6 from the beginning of the header is a value that combines with the previous value to indicate whether this is a user-to-network or network-to-user packet. 

Use a direction value of 4, and:

	for user-to-network packets, give the byte at an offset of 6 a value of 0;

	for network-to-user packets, give the byte at an offset of 6 a value of 1.
You might either have to change your hardware or your driver in order to get it to add those extra 16 bytes at the beginning of each frame.
NOTE: as I indicated in my reply on tcpdump-workers, if you use DLT_LAPD without any extra pseudo-header, the LAPD dissector won't know whether a frame is user-to-network or network-to-user; if that's a problem, you'll have to either use DLT_LINUX_LAPD and the pseudo-header described above, or will have to create your own pseudo-header and ask for a new DLT_LAPD_PHDR DLT_ value (DO NOT use DLT_LAPD with a pseudo-header!). 


I went through this bug,
http://bugs.wireshark.org/bugzilla/attachment.cgi?id=953&action=view <http://bugs.wireshark.org/bugzilla/attachment.cgi?id=953&action=view> 
According to this there are some changes that I need to do to
the wtap.c/wtap.h

Can I please know the connection between wiretap library and the
libpcap library. Cant I anyhow wait without changing the wiretap
library.
If you use DLT_LAPD - or a new DLT_LAPD_PHDR - you will have to make a small change to the Wiretap library. 


I thought it is a substitute for libpcap.
Wiretap is a substitute for the part of libpcap that reads capture files. It doesn't support capturing (that's the complicated part of libpcap, as it has to support capturing on a number of different UNIX-like systems, as well as on Windows, and do so in a way that allows most applications not to have to know on what type of system they're capturing). 


Is libpcap just on of the types that wireshark Understand?


Yes, it's only one of the file formats Wireshark understands.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube