On Wed, Apr 02, 2003 at 04:39:31PM -0800, Alvaro GOMES wrote:
> I'm trying to implement a new file format conversion in the
> editcap.exe tool. I'm looking for some documentation,
> I have been browsing all the web site( www.ethereal.com) , but I didn't
> find anything.
That's because there isn't any documentation on that.
> I know that the task seems to be done by the code in wiretap.dll.
Yes, it's done by the Wiretap library - Ethereal, Tethereal, editcap,
etc. use Wiretap to read capture files, so what you're adding is not a
new file format conversion in editcap, what you're adding is the ability
for Ethereal, Tethereal, editcap, etc. to read and/or write a new
capture file format (for example, if you add the ability to read that
format, you don't need to convert the file in order to read it in
Ethereal, you'd only need it in order to read it in other applications).
I don't have time to write a long tutorial, but:
To add the ability to read a new capture file format, you have to:
add a new WTAP_FILE_ value for the file type to
"wiretap/wtap.h", and increase WTAP_NUM_FILE_TYPES by 1;
write an "open" routine that can read the beginning of the
capture file and figure out if it's in that format or not,
either by looking at a magic number at the beginning or by using
some form of heuristic to determine if it's a file of that type
(if the file format has a magic number, that's what should be
used);
write a "read" routine that can read a packet from the file and
supply the packet length, captured data length, and time stamp,
and have the "open" routine set the "subtype_read" member of the
"wtap" structure supplied to it to point to that routine;
write a "seek and read" routine, if necessary, and have the
"open" routine set the "subtype_seek_read" member of the "wtap"
structure to point to that routine, otherwise set it to
"wtap_def_seek_read";
write a "close" routine, if necessary (if, for example, the
"open" routine allocates any memory), and set the
"subtype_close" member of the "wtap" structure to point to it,
otherwise leave it set to NULL;
add a pointer to the "open" routine to the "open_routines[]"
table in "file.c" - if it uses a magic number, put it in the
first section of that list, and, if it uses a heuristic, put it
in the second section, preferably putting the heuristic routines
for binary files before the heuristic routines for text files;
add an entry for that file type in the "dump_open_table[]" in
"file.c", giving a descriptive name, a short name that's
convenient to type on a command line (no blanks or capital
letters, please), and pointers to the "can_write_encap" and
"dump_open" routines if writing that file is supported (see
below), otherwise just null pointers.
To add the ability to write a new capture file format, you have to:
add a "can_write_encap" routine that returns an indication of
whether a given packet encapsulation format is supported by the
new capture file format;
add a "dump_open" routine that starts writing a file (writing
headers, allocating data structures, etc.);
add a "dump" routine to write a packet to a file, and have the
"dump_open" routine set the "subtype_write" member of the
"wtap_dumper" structure passed to it to point to it;
add a "close" routine, if necessary (if, for example, the
"dump_open" routine allocates any memory, or if some of the file
header can be written only after all the packets have been
written), and have the "dump_open" routine set the
"subtype_close" member of the "wtap_dumper" structure to point
to it;
put pointers to the "can_write_encap" and "dump_open" routines
in the "dump_open_table[]" entry for that file type.
