Wireshark-users: Re: [Wireshark-users] decoding packet data payload?

From: Malcolm Herbert <mjch@xxxxxxxx>
Date: Mon, 5 May 2008 10:39:03 +1000

On Sun, May 04, 2008 at 12:04:13PM -0700, Guy Harris wrote:
|Malcolm Herbert wrote:
|> I have the entire TCP packet capture and can see the complete
|> HDLC-like PPP frames inside the TCP data payload - I'd like wireshark
|> to interpret this for me as I'm interested in seeing PPP at work.
|>
|> Ultimately I'd like to get at the TCP data running inside that as
|> well, but this is less important at the moment.
|
|No. Given that TCP has no notion of packet boundaries (the service it
|provides is a byte stream), and protocols you'd tunnel inside TCP *do*
|have such a notion, for each such protocol there would need to be some
|mechanism to allow byte boundaries to be determined.

aaah ... yes, fair enough ...

|Some protocols already have packet lengths in the packet header,
|but even those would need the dissector to do special work when run
|atop TCP - we couldn't just define every single dissector for those
|protocols to be usable atop TCP without adding "encapsulation over TCP"
|support to them.
|
|Other protocols have other mechanisms to indicate packet boundaries,
|and would need even more work.

In this case it seems that there's a 1:1 relationship between HDLC frame
and TCP packet, so that may not apply here, but I take your point ...

|> Alternately, since I'm wanting to look at PPP, would it be better to
|> capture the PPP session directly from a serial link somehow?
|
|You would have the same problem in that case.

hmmm

|If, however, you did the un-framing and un-escaping in a program, and
|had Wireshark capture from that program over a pipe, that might be
|easier, and wouldn't require Wireshark to be changed (at least not on
|UN*X).

actually this seems to be the most feasible - I already have most of the
code to do this bit already. Is there any documentation to tell me what
format Wireshark expects data to be in on stdin? Or can I just strip the
HDLC and dump the raw stream?

Thanks for the feedback ... :)

Regards,
Malcolm

-- 
Malcolm Herbert                                This brain intentionally
mjch@xxxxxxxx                                                left blank