Jeff Morriss wrote:
Guy Harris wrote:
On Tue, Jun 24, 2003 at 05:14:56PM +0530, Navin Anand wrote:
The modified files are:
libpcap.c
407,413d406
<
< /*
< * 20 Added for the fake link type, required to dissect packets
< * containing higher layer protocol payload without the lower layer
< * protocol headers, e.g. pure TCP data without underlying IP.
< */
< { 20, WTAP_ENCAP_FAKE_LINK },
There is no guarantee that a DLT_ value of 20 isn't being used
somewhere; it's best to request a DLT_ value from tcpdump.org - or to
define your own capture file format for your application, with its own
magic number, rather than using libpcap format.
Having just used libwiretap to dump packets to a PCAP file, I must admit
that I like using that format (just for ease of use).
....
I have been using this to convert binary payload to a .pcap file:
od -Ax -tx1 stream | text2pcap -m1460 -T1234,5678 - stream.pcap
Together with a dissector that lets ethereal desegment the tcp stream,
I have had good results dissecting my data stream.
Desegmentation is managed by giving a hint where the next dissector
call should start when an exception occurs.
--
---------------------------------------------------------------- -o)
Matthijs Melchior Maarssen /\\
mmelchior@xxxxxxxxx Netherlands _\_v
---------------------------------------------------------------- ----
