Wireshark-dev: Re: [Wireshark-dev] capturing data from a propietary device
From: Fulko.Hew@xxxxxxxxx
Date: Tue, 10 Jul 2007 17:17:52 -0400
wireshark-dev-bounces@xxxxxxxxxxxxx wrote on 07/10/2007 05:00:59 PM: > Fulko.Hew@xxxxxxxxx schrieb: > > I'm trying to figure out how to format (or where to place the data) > > in the pcap buffer when capturing my WAN protocols. > > > > I've built a system that will capture the data and feed it via pcap to > > wireshark, > > and I've got it working for Ethernet data and for frame relay data, but I'm > > having > > trouble dealing with getting the proprietary data into wireshark intact so > > that > > I can later write a disector. > > > > (I'm going to test everything out before submitting my requests for a set > > of DLT_ > > mumbers for these protocols. In the mean time, I've just taken the next > > few > > currently un-assigned ones while I work on my code). > > > > The trouble is that I don't know what values to put into: off_linktype, > > off_nl > > and off_nl_nosnap for my DLT cases. (And I think thats where my problem > > lies.) > > > > Right now, the first thing in each received buffer is the typical 16 bytes > > of: > > timestamp_sec, timestamp_usec, capture_len, pkt_len, which is > > followed by 'n' bytes of my protocol's data. > > > > > > > > Here's the stuff that I captured and fed into pcap/wireshark: > > > > Pkt 1 hdr : 46 93 ae 55 00 0c df 4b 00 00 00 0b 00 00 00 0b > > \---------/ \---------/ \---------/ \---------/ > > timestamp timestamp capture len packet len > > > > Pkt 1 data: 01 02 03 01 47 50 70 03 64 7f 7f > > \------------------------------/ > > 0xb bytes of my captured data > > > > > > Pkt 2 hdr : 46 93 ae 56 00 02 3b 7e 00 00 0b 00 00 00 0b > > Pkt 2 data: 01 02 03 01 3b 50 70 03 18 7f 7f > > > > Pkt 3 hdr : 46 93 ae 56 00 06 dd db 00 00 00 0b 00 00 00 0b > > Pkt 3 data: 01 02 03 01 47 50 70 03 64 7f 7f > > > > ... > > > > > > When Wireshark goes to display it, the Protocol column says 'unknown', > > which I can understand, because I don't have any disectors for that > > DLT (WTYP_ENCAP) type yet. > > > > The Info column says WTAP_ENCAP = 94. > > (I don't see where it gets the value of '94' from.) > > > > The summary pane (for the first message) says: > > > > Frame 1 had (6 bytes on wire, 6 bytes captured) > > Data (6 bytes) > > > > and the (related) detail pane says: > > > > 0000 7f 56 ae 93 46 7e > > > > > > I can reverse engineer (see that data pattern in the header of the 2nd data > > message), but I don't know why its looking in there, and why it thinks > > there is only 6 bytes of data, and why its looking at it with the endianess > > it is. > > > > > > For the life of me, I can't figure out what I'm doing wrong, > > to cause Wireshark to go looking in there. > > > > I have tried to look through docs and mailing lists, > > but I haven't found anything to help me yet. :-( > > > Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat? Yes, I did, and I am in theory following it. The difference is that the document refers to the 'file format' and not the live stream, so the global header is not applicable. This information is (somehow) exchanged in a different manner via DLT_xxx and WTAP_ENCAP_xxx Looking at in more detail... either my DLT_xxx isn't being propogated into Wireshark or my WTAP_ENCAP_xxx in Wireshark isn't being followed, or there's a disconnect somewhere. But presuming that I get the DLT and WTAP to line up, I still don't know what values to put into off_linktype, off_nl and off_nl_nosnap on the pcap side of things. This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system.
- Follow-Ups:
- Re: [Wireshark-dev] capturing data from a propietary device
- From: Guy Harris
- Re: [Wireshark-dev] capturing data from a propietary device
- From: Ulf Lamping
- Re: [Wireshark-dev] capturing data from a propietary device
- References:
- Re: [Wireshark-dev] capturing data from a propietary device
- From: Ulf Lamping
- Re: [Wireshark-dev] capturing data from a propietary device
- Prev by Date: [Wireshark-dev] accessing tcp data
- Next by Date: [Wireshark-dev] Fwd: accessing tcp data
- Previous by thread: Re: [Wireshark-dev] capturing data from a propietary device
- Next by thread: Re: [Wireshark-dev] capturing data from a propietary device
- Index(es):
- Get Wireshark
- Download
- Code of Conduct