Wireshark-dev: Re: [Wireshark-dev] wslua: reading raw file?
From: Guy Harris <[email protected]>
Date: Wed, 09 Apr 2008 11:08:29 -0700
Németh Márton wrote:

I don't really understand your point,
My point is that writing the 24-byte libpcap file header at the 
beginning of a file - if that's what you mean by "I created a .pcap 
header and copied my raw file after it" - does no good whatsoever, and 
will never do any good whatsoever, and *should* never do any good 
whatsoever, unless what follows it is a list of packets with a 16-byte 
libpcap packet header before the data of each packet.  That header means 
"this is a libpcap-format file", which means that it contains a sequence 
of packets with libpcap-format packet headers, not just that it's 
something that is supposed to be read by Wireshark.
If your dissector is "on the Ethernet level", it's presumably a 
dissector for some link-layer network type; if you want to have 
Wireshark handle that link-layer network type, then, as per Luis's 
suggestion, you should either use one of the DLT_USERn link-layer types 
or ask for a DLT_ value from [email protected], convert your 
raw file to a libpcap-format file by putting a libpcap file header with 
the appropriate DLT_ value in front of the file and put an appropriate 
libpcap packet header int front of each packet, add a WTAP_ENCAP_ type 
and modify wiretap/libpcap.c to map your DLT_ to that WTAP_ENCAP type if 
you got a DLT_ value from tcpdump-workers, and add your dissector, 
having it register itself in the "wtap_encap" with WTAP_ENCAP_USERn if 
you're using DLT_USERn or with the new WTAP_ENCAP_ value if you've added 
maybe I did not describe well what
I would like to do. I would like to write a dissector which is similar to
how Wireshark can open .mp3 files. The .mp3 files don't have libpcap headers
at all, but Wireshark can handle them.
If it's "similar to how Wireshark can open .mp3 files", it doesn't sound 
at all as if it's "on the Ethernet level" in a networking sense, so, 
yes, you didn't describe it well; if you're using it as a file dissector 
rather than a packet dissector, you should've said it was similar to the 
way Wireshark dissects MP3's.
My question is that is it possible to create a dissector which reads a
raw file without libpcap header?
As Luis said, you need more than a dissector.  Dissectors don't know how 
to read Wireshark input files, they know how to dissect blobs of binary 
data - that way, the Ethernet dissector can dissect an Ethernet packet 
regardless of whether it comes from a libpcap-format file or an 
EtherPeek/OmniPeek file or a Sniffer file or a Microsoft Network Monitor 
file or....
Wireshark has, in the "wiretap" directory, a library that it uses to 
read input files.  The Wiretap library tries opening the file as several 
different file types, stopping when it succeeds or fails with an 
operating system error, and continuing on to the next file type if it 
succeeds in opening the file at the OS level but finds that the file is 
not of the type it's trying.
Many file formats, including libpcap files, can easily be identified, as 
they have a "magic number" value early in the file at a fixed location. 
 Those file types are tried first.  Later formats require heuristics to 
try to guess whether they're in the specified format or not.
MPEG files are "magic number" files; see wiretap/mpeg.c.

You would need to write a Wiretap module for your file format; this means that either your file format *MUST* either have a magic number or that there *MUST* be some reasonably reliable way of determining whether a file is one of your files or not.
If Wireshark doesn't already have a WTAP_ENCAP_ type for the object or 
objects in your file format, you will need to add one.
Once you have a Wiretap module for your file format and a WTAP_ENCAP_ 
type for the object or objects in your file format, you could then write 
a dissector for the object or objects in your file format, and have it 
registered to handle that WTAP_ENCAP_ type.