Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] capturing data from a propietary device

Date: Tue, 10 Jul 2007 16:42:38 -0400

I'm trying to figure out how to format (or where to place the data)
in the pcap buffer when capturing my WAN protocols.

I've built a system that will capture the data and feed it via pcap to
wireshark,
and I've got it working for Ethernet data and for frame relay data, but I'm
having
trouble dealing with getting the proprietary data into wireshark intact so
that
I can later write a disector.

(I'm going to test everything out before submitting my requests for a set
of DLT_
mumbers for these protocols.  In the mean time, I've just taken the next
few
currently un-assigned ones while I work on my code).

The trouble is that I don't know what values to put into: off_linktype,
off_nl
and off_nl_nosnap for my DLT cases. (And I think thats where my problem
lies.)

Right now, the first thing in each received buffer is the typical 16 bytes
of:
timestamp_sec, timestamp_usec, capture_len, pkt_len, which is
followed by 'n' bytes of my protocol's data.



Here's the stuff that I captured and fed into pcap/wireshark:

Pkt 1 hdr : 46 93 ae 55  00 0c df 4b  00 00 00 0b  00 00 00 0b
            \---------/  \---------/  \---------/  \---------/
             timestamp    timestamp   capture len  packet len

Pkt 1 data: 01 02 03 01 47 50 70 03 64 7f 7f
            \------------------------------/
            0xb bytes of my captured data


Pkt 2 hdr : 46 93 ae 56 00 02 3b 7e 00 00 0b 00 00 00 0b
Pkt 2 data: 01 02 03 01 3b 50 70 03 18 7f 7f

Pkt 3 hdr : 46 93 ae 56 00 06 dd db 00 00 00 0b 00 00 00 0b
Pkt 3 data: 01 02 03 01 47 50 70 03 64 7f 7f

...


When Wireshark goes to display it, the Protocol column says 'unknown',
which I can understand, because I don't have any disectors for that
DLT (WTYP_ENCAP) type yet.

The Info column says WTAP_ENCAP = 94.
(I don't see where it gets the value of '94' from.)

The summary pane (for the first message) says:

Frame 1 had (6 bytes on wire, 6 bytes captured)
Data (6 bytes)

and the (related) detail pane says:

0000  7f 56 ae 93 46 7e


I can reverse engineer (see that data pattern in the header of the 2nd data
message), but I don't know why its looking in there, and why it thinks
there is only 6 bytes of data, and why its looking at it with the endianess
it is.


For the life of me, I can't figure out what I'm doing wrong,
to cause Wireshark to go looking in there.

I have tried to look through docs and mailing lists,
but I haven't found anything to help me yet.  :-(

Can anyone out there please enlighten me?

TIA
Fulko Hew



This document is strictly confidential and intended only for use by the addressee unless otherwise stated.  If you are not the intended recipient, please notify the sender immediately and delete it from your system.