Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Questions about dev

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 8 Nov 2006 09:52:26 +0100 (CET)
Hi,

I'm all for that. I personally don't like extending Wireshark into the
realm of trace file analyser.

Thanx,
Jaap

On Wed, 8 Nov 2006, Kukosa, Tomas wrote:

> Hello,
>
> I use a little bit differen solution for a similar problem.
> Sometimes I need to dissect proprietray protocols from tracesfiles not
> supported by Wireshark.
> I use following way:
> 1) convert trace file to pcap format with linktype DLT_USERx (x=0-15)
>    simple conversion tool can be written in Perl, Python or whatever you
> like
> 2) register my dissector to WTAP_ENCAP_USERx;
>    dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);
>
> The advantage is that it does not need any changes (and recompilation)
> in Wireshark.
>
> regards,
>   Tomas
>
>
> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Neha Chahal
> Sent: Tuesday, November 07, 2006 9:13 PM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] Questions about dev
>
> On 11/7/06, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> > Neha Chahal wrote:
> >
> > > The format of the file is binary
> >
> > "Binary" isn't a format for a packet capture; there are several
> capture
> > file formats, all of which are binary, but they're not all the same.
> > What *specific* binary format is it?
> >
> > Is this some standard format (libpcap format as used by
> > tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
> > format, Microsoft Network Monitor format, Sun snoop format, etc.), or
> is
> > it some format you or somebody else has created?
>
> Yes it is "not" one of these formats. The packets are in LEA binary
> format.
> >
> > > and the protocol is LEA.
> >
> > What protocol is that?
>
> Law Enforcement Agency protocol for call tracing(lawful intercept
> protocol)
>
> >
> > > It is a protocol at the application layer. So it is the top  most
> protocol.
> >
> > What protocol does it run atop?  TCP?  UDP?  Some other protocol?
> >
>
> On top of UDP for my application.
>
> > > So I have to implement both. Is that true?
> >
> > Yes, you have to implement both read and seek_read functions.
> >
> > > So my read routine is returning the packet in wth->frame_buffer. But
> I
> > > have not implementes the seek_read. The README.dev says "implement
> > > seek_read if necessary". What does this mean?
> >
> > It means that the documentation hasn't been updated to indicate that
> > there's no longer a "default" seek_read routine that a file format
> > module can use, so modules always have to have their own seek_read
> > routine.  (I've just checked in a change to wiretap/README.developer
> to
> > fix that.)
> >
> > > When is it necessary?
> >
> > Always.
> >
> > > My packets dont have any transport layer headers. They are in the
> > > format I have specified in the dissector. So this is the way my
> packet
> > > looks like.
> > >
> > > fixed header
> > > payload header
> > > variable length payload
> >
> > So are you saying that the *ONLY* protocol in the packet is this "LEA"
> > protocol?
>
> Yes, only LEA.
>
> >
> > > In the dissector I have given protocol details starting from the
> fixed
> > > header. So the packet that I return in the wth->frame_buffer should
> > > start from the fixed header to the end of the payload. Is this
> > > correct?
> >
> > Yes.
> >
> > > Where should the data offset point. At the payload header or at the
> > > fixed header ?
> >
> > At the fixed header - it's the offset to which the seek_read routine
> > would need to seek to get the entire packet.
>
> okay.
>
> So once I am done doing these changes. How do I test my changes?
> Should I do a make install. And then run tethereal on my binary file.
> Currently I am working on the ethereal tar, I downloaded.
>
> Thank you very much, forgive me if I sound stupid. But I am very new
> to ethereal/wireshark.
>
> --Neha
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
>
> --
> Thanks and Regards,
> Neha Chahal
> Cell- 443 207 0414
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>