Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: RE: [Ethereal-dev] non-ethernet use of ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Ray Rizzuto" <Ray_Rizzuto@xxxxxxx>
Date: Wed, 15 Sep 2004 09:51:14 -0400
Guy,

Thanks!  That's exactly what I needed.  I'll probably need to prepend
some information to the raw data, such as the direction and interface
number (for a multi-interface capture).

Ray   

-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, September 14, 2004 5:01 PM
To: Ethereal development
Subject: RE: [Ethereal-dev] non-ethernet use of ethereal

Ray Rizzuto said:
> I'd like to use an existing file format, if possible.  I have control 
> of creating the output file from another application.  Do you know 
> where I can get documentation on the libpcap format to see if I can 
> use that to contain non-ethernet data?

Libpcap format *already* supports non-Ethernet data, and has done so for
ages.  Unless you need special out-of-band data, you'd just write the
raw packet data - and if you *do* need special out-of-band data, you
could just prepend it to the raw packet data; that's how SunATM captures
supply the VPI/VCI, direction, and traffic type information.

Probably the easiest way to write out a libpcap file would be to use
libpcap/WinPcap to do it.

The API for opening an output file was somewhat too narrowly conceived -
it takes an open libpcap *input* as an argument, to supply the
link-layer type, etc. - but sufficiently recent versions of libpcap have
a workaround, namely "pcap_open_dead()", which lets you create a "fake"
libpcap input with a specified link-layer type and snapshot length.  You
can then use that as an argument to "pcap_dump_open()".

If this is going to be a private extension to Ethereal - so that you can
use one of the WTAP_ENCAP_USER{N} values - there's a range of private
link-layer type values for libpcap format, DLT_USER{N}, in the range 147
through 162.  You could use one of those as the link-layer type;
Ethereal already knows that it should map DLT_USER{N} to
WTAP_ENCAP_USER{N}.

If this is going to be public, you must ask tcpdump-workers@xxxxxxxxxxx
for a link-layer type value, and use that value.


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube