Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] updated fakelink dissector + (new) README.fakelink

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 Jul 2003 16:19:21 -0700

On Tuesday, July 8, 2003, at 2:04 PM, Jeff Morriss wrote:


1) What is the fake link layer?
---------------------------------
The fake link layer is a dissector in Ethereal that allows Ethereal to read 
a capture file (in PCAP format: fake link has (TODO: will have) its own
DLT_ file format identifier reserved in libpcap) that contains some protocol layer without any of the lower level protocol parts (headers, trailers) on it. Examples include MTP3 without the MTP2 header or SCCP without MTP3 (or below). A (TODO: bad?) non-SS7 example would be TCP without IP (and without Ethernet).
Why? Because there are some protocols that Ethereal understands most of but could not (prior to Fake Link) decode directly because those protocols don't run over a link layer that Ethereal understands. A good example of this is SS7: Ethereal understands a good number of the SS7 protocols because people have developed dissectors for use with SIGTRAN (SS7 over IP) but Ethereal 
can not capture directly from SS7 links.
It can't capture directly from ISDN links, either, but it does understand ISDN links, at least at the level of frame plus channel number (the D channel is dissected as LAPD; the B channel is dissected as V.120 or PPP-in-HDLC-like-encapsulation, depending on heuristics). The same applies to SDLC.
It understands those link layers because it can read captures from other network analyzers that can do that (because they have hardware pods to do so, as in the case of, for example, a Network Associates Sniffer(R)). 


3) How to write a fake link layer PCAP file?
----------------------------------------------
There are 2 methods that you can use to write out a fake link PCAP capture file: by using the Wiretap library (part of Ethereal) or by writing the file out directly from your application. It would make sense that libpcap could be used directly (which could be advantageous since it has a BSD license) but the APIs for libpcap do not seem to allow writing protocol packets to a file 
directly (it seems geared more towards capture-and-writing).
You could, with more recent versions of libpcap, probably cheat by calling "pcap_open_dead()" and using the pcap_t * you get back from that as the argument to "pcap_dump_open()".
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube