Wireshark-dev: Re: [Wireshark-dev] Dissector - Read data from file
From: Jaap Keuter <[email protected]>
Date: Tue, 27 May 2008 22:41:00 +0200

Well, the PCAP format is really simple, see http://wiki.wireshark.org/Development/LibpcapFileFormat for the details. Just write out the 24 byte global header, select a suitable datalink type (there are several HDLC like types already, maybe one fits) and start adding packet headers and data from there. There's nothing much to it.

Hans Glück wrote:

thanks for the reply, but I think I had a false start, sorry. I should describe my problem more detailed...

I have a proprietary program/file (this file contains data from a multiplexer-trace in a GSM device -> the protocol/ packets is based on HDLC). I can export the data out of proprietary file to a XML-file. Wireshark doesn`t understand that format so I have the 3 options posted at the wireshark wiki (PacketInput). Because of my limited time, I think it will be the best way if  I´ll choose the way to convert the XML-file to a file which wireshark understands (libpcap). But I do not understand how to convert it, I mean how do I add the global header etc? I will convert it from XML file to *.txt file and then?

This is an example out of the XML file (just for your information)

<Transaction type="OUT" device="1" endpoint="2" status="ACK" speed="FS" time="8.443 704 917">
    <Packet id="OUT" speed="FS" time="8.443 704 917">
    <Packet id="DATA0" speed="FS" time="8.443 707 900">
        <data>F9 07 88 09 61 74 69 0D 85 F9</data>
<Packet id="ACK" speed="FS" time="8.443 718 000"/>


----- Ursprüngliche Mail ----
Von: Jaap Keuter <[email protected]>
An: Developer support list for Wireshark <[email protected]>
Gesendet: Sonntag, den 25. Mai 2008, 18:21:02 Uhr
Betreff: Re: [Wireshark-dev] Dissector - Read data from file

Hans Glück wrote:

I´m writing a dissector but I do not want to read the data live from the network.
The dissector doesn't care where the data comes from.

I have a file (~60MB) with the data I want to dissect. What should I do that I can read the data from this file (e.g. that the user
can choose the file he/she want to analyze).

If the file is in any of the many formats Wireshark can read just open it.
You might want to split the file up before loading it, since it might consume your systems memory with state information.