Wireshark-dev: Re: [Wireshark-dev] Questions about dev
From: "Kukosa, Tomas" <[email protected]>
Date: Wed, 8 Nov 2006 08:51:16 +0100
Hello,

I use a little bit differen solution for a similar problem.
Sometimes I need to dissect proprietray protocols from tracesfiles not
supported by Wireshark.
I use following way:
1) convert trace file to pcap format with linktype DLT_USERx (x=0-15)
   simple conversion tool can be written in Perl, Python or whatever you
like
2) register my dissector to WTAP_ENCAP_USERx;
   dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);

The advantage is that it does not need any changes (and recompilation)
in Wireshark.

regards,
  Tomas


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Neha Chahal
Sent: Tuesday, November 07, 2006 9:13 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Questions about dev

On 11/7/06, Guy Harris <[email protected]> wrote:
> Neha Chahal wrote:
>
> > The format of the file is binary
>
> "Binary" isn't a format for a packet capture; there are several
capture
> file formats, all of which are binary, but they're not all the same.
> What *specific* binary format is it?
>
> Is this some standard format (libpcap format as used by
> tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
> format, Microsoft Network Monitor format, Sun snoop format, etc.), or
is
> it some format you or somebody else has created?

Yes it is "not" one of these formats. The packets are in LEA binary
format.
>
> > and the protocol is LEA.
>
> What protocol is that?

Law Enforcement Agency protocol for call tracing(lawful intercept
protocol)

>
> > It is a protocol at the application layer. So it is the top  most
protocol.
>
> What protocol does it run atop?  TCP?  UDP?  Some other protocol?
>

On top of UDP for my application.

> > So I have to implement both. Is that true?
>
> Yes, you have to implement both read and seek_read functions.
>
> > So my read routine is returning the packet in wth->frame_buffer. But
I
> > have not implementes the seek_read. The README.dev says "implement
> > seek_read if necessary". What does this mean?
>
> It means that the documentation hasn't been updated to indicate that
> there's no longer a "default" seek_read routine that a file format
> module can use, so modules always have to have their own seek_read
> routine.  (I've just checked in a change to wiretap/README.developer
to
> fix that.)
>
> > When is it necessary?
>
> Always.
>
> > My packets dont have any transport layer headers. They are in the
> > format I have specified in the dissector. So this is the way my
packet
> > looks like.
> >
> > fixed header
> > payload header
> > variable length payload
>
> So are you saying that the *ONLY* protocol in the packet is this "LEA"
> protocol?

Yes, only LEA.

>
> > In the dissector I have given protocol details starting from the
fixed
> > header. So the packet that I return in the wth->frame_buffer should
> > start from the fixed header to the end of the payload. Is this
> > correct?
>
> Yes.
>
> > Where should the data offset point. At the payload header or at the
> > fixed header ?
>
> At the fixed header - it's the offset to which the seek_read routine
> would need to seek to get the entire packet.

okay.

So once I am done doing these changes. How do I test my changes?
Should I do a make install. And then run tethereal on my binary file.
Currently I am working on the ethereal tar, I downloaded.

Thank you very much, forgive me if I sound stupid. But I am very new
to ethereal/wireshark.

--Neha
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>


-- 
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev