My point is that writing the 24-byte libpcap file header at the
beginning of a file - if that's what you mean by "I created a .pcap
header and copied my raw file after it" - does no good whatsoever, and
will never do any good whatsoever, and *should* never do any good
whatsoever, unless what follows it is a list of packets with a 16-byte
libpcap packet header before the data of each packet. That header means
"this is a libpcap-format file", which means that it contains a sequence
of packets with libpcap-format packet headers, not just that it's
something that is supposed to be read by Wireshark.
If your dissector is "on the Ethernet level", it's presumably a
dissector for some link-layer network type; if you want to have
Wireshark handle that link-layer network type, then, as per Luis's
suggestion, you should either use one of the DLT_USERn link-layer types
or ask for a DLT_ value from [email protected], convert your
raw file to a libpcap-format file by putting a libpcap file header with
the appropriate DLT_ value in front of the file and put an appropriate
libpcap packet header int front of each packet, add a WTAP_ENCAP_ type
and modify wiretap/libpcap.c to map your DLT_ to that WTAP_ENCAP type if
you got a DLT_ value from tcpdump-workers, and add your dissector,
having it register itself in the "wtap_encap" with WTAP_ENCAP_USERn if
you're using DLT_USERn or with the new WTAP_ENCAP_ value if you've added
maybe I did not describe well what
I would like to do. I would like to write a dissector which is similar to
how Wireshark can open .mp3 files. The .mp3 files don't have libpcap headers
at all, but Wireshark can handle them.
If it's "similar to how Wireshark can open .mp3 files", it doesn't sound
at all as if it's "on the Ethernet level" in a networking sense, so,
yes, you didn't describe it well; if you're using it as a file dissector
rather than a packet dissector, you should've said it was similar to the
way Wireshark dissects MP3's.
My question is that is it possible to create a dissector which reads a
raw file without libpcap header?
As Luis said, you need more than a dissector. Dissectors don't know how
to read Wireshark input files, they know how to dissect blobs of binary
data - that way, the Ethernet dissector can dissect an Ethernet packet
regardless of whether it comes from a libpcap-format file or an
EtherPeek/OmniPeek file or a Sniffer file or a Microsoft Network Monitor
Wireshark has, in the "wiretap" directory, a library that it uses to
read input files. The Wiretap library tries opening the file as several
different file types, stopping when it succeeds or fails with an
operating system error, and continuing on to the next file type if it
succeeds in opening the file at the OS level but finds that the file is
not of the type it's trying.
Many file formats, including libpcap files, can easily be identified, as
they have a "magic number" value early in the file at a fixed location.
Those file types are tried first. Later formats require heuristics to
try to guess whether they're in the specified format or not.
MPEG files are "magic number" files; see wiretap/mpeg.c.
You would need to write a Wiretap module for your file format; this
means that either your file format *MUST* either have a magic number or
that there *MUST* be some reasonably reliable way of determining whether
a file is one of your files or not.
If Wireshark doesn't already have a WTAP_ENCAP_ type for the object or
objects in your file format, you will need to add one.
Once you have a Wiretap module for your file format and a WTAP_ENCAP_
type for the object or objects in your file format, you could then write
a dissector for the object or objects in your file format, and have it
registered to handle that WTAP_ENCAP_ type.