Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] capturing data from a propietary device

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 10 Jul 2007 16:41:52 -0700

On Jul 10, 2007, at 1:42 PM, Fulko.Hew@xxxxxxxxx wrote:

I'm trying to figure out how to format (or where to place the data)
in the pcap buffer when capturing my WAN protocols.

I've built a system that will capture the data and feed it via pcap to wireshark, and I've got it working for Ethernet data and for frame relay data, but I'm having trouble dealing with getting the proprietary data into wireshark intact so that I can later write a disector.

(I'm going to test everything out before submitting my requests for a set of DLT_ mumbers for these protocols. In the mean time, I've just taken the next few currently un-assigned ones while I work on my code).

The trouble is that I don't know what values to put into: off_linktype, off_nl and off_nl_nosnap for my DLT cases. (And I think thats where my problem lies.)

Given that off_linktype, off_nl, and off_nl_nosnap are used *only* by the BPF code generator when it generates code for a capture filter, I really really really don't think that's where your problem lies, unless your problem is a problem with capture filters, and from what you say, it's *not* a problem with capture filters (as capture filters only control which packets are captured, they don't control the format of the packet).

Right now, the first thing in each received buffer is the typical 16 bytes of: timestamp_sec, timestamp_usec, capture_len, pkt_len, which is followed by 'n' bytes of my protocol's data.

I.e., each received buffer is a "struct pcap_pkthdr", followed by the packet data.

Presumably, if you've implemented a libpcap module for this (if that's what "capture the data and feed it via pcap" means), then, presumably, your "read_op" routine is calling the callback routine with the second argument pointing to the 16-byte "struct pcap_pkthdr" header and the third argument pointing to the protocol data.

When Wireshark goes to display it, the Protocol column says 'unknown', which I can understand, because I don't have any disectors for that DLT (WTYP_ENCAP) type yet.

The Info column says WTAP_ENCAP = 94. (I don't see where it gets the value of '94' from.)

Presumably, in order for your file to be read *at all* by Wireshark, you modified Wireshark so that the pcap_to_wtap_map[] array in wiretap/ libpcap.c maps the relevant "currently un-assigned" DLT_ values you're using (note that the "the next few currently un-assigned" values start at 196; *ALL* values from 100 through 196 are assigned) to some WTAP_ENCAP value. If it maps it to 94, then that's where the 94 comes from - but 94 is, in the top-of-tree version of Wireshark, WTAP_ENCAP_NETTL_RAW_TELNET, so you probably don't want to map anything to that.

The summary pane (for the first message) says:

Frame 1 had (6 bytes on wire, 6 bytes captured)
Data (6 bytes)

and the (related) detail pane says:

0000  7f 56 ae 93 46 7e

Then the capture file that Wireshark is reading, if it's a libpcap- format file, must have had a capture_len value of 6 and a len value of 6.

Where did that file come from? Did you modify libpcap so that it can capture from your device, and did you use Wireshark to capture the traffic, or do you have some other program capturing from your device and writing out a libpcap-format file?