Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard

From: Gaurav1 Jain <gaurav1.jain@xxxxxx>
Date: Wed, 24 Sep 2008 13:59:05 +0530

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, September 23, 2008 10:45 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers


On Sep 22, 2008, at 8:33 PM, Gaurav1 Jain wrote:

> Gauarv1 Jain: To be more precise, E1 data is passed to libpcap as it
> is,

Well, it's passed to a PF_PACKET socket, if you're capturing on Linux,
unless you've modified libpcap.

What driver is passing the packets to the Linux networking stack?

Gaurav: Wanpipe- Driver is the interface with LibPcap.

> as is received by Card on line (after removing info like CRC etc).
> For example if format of LAPD modulo 8 (based on HDLC format) is as
> per attached in the mail (LAPD_format_E1.bmp).

That's not attached to your mail.

Gaurav: Please see attachment with my last mail on 19th Sep.

> Then packet on IP interface will be as attached    in
> Message_Passed_To_LibPcap.bmp

That's also not attached to your mail.


Gaurav: Please see attachment with my last mail on 19th Sep.

> It means that Driver in card is not adding/tweaking information/
> header to received packet. With this LibPcap receives packet with
> link-type as HDLC and without flag and CRC bits attached to the
> packets.

Do you have an example of a capture of that sort?  If so, you've
modified libpcap, as it does *NOT* support a link-layer type of "HDLC"
- it supports ARPHRD_CISCO, which is 513, but that's just "Cisco
HDLC", not, for example, LAPD.

Gaurav: Libpcap received packet in cooked format and hence attaches pseudo header of its own.

> Another type of frame is Transparent frame where card can not
> identify start of frame

What type of traffic is that?  Circuit-switched voice?

Gaurav: Packet Switched traffic between BTS and BSC over Abis.

> and hence a packet gets scattered over multiple packets where start
> of packet given to libPcap does not necessarily be the start of
> logical message (it can be at any offset to that message). Here also
> no tweaking is done with what is received at line and passed as it
> is to WireShark interface. This kind of traffic is quite fast in
> nature (around 160 byte/20 msec). This frame again has some
> proprietary L2 frame format and L3 information in it.

Does that currently work with libpcap?  If so, what ARPHRD_ value does
the interface have?

Gaurav: Both HDLC and TRANSPARENT frame and given to libpcap using ARPHRD_PPP.

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev
The information contained in this e-mail is private & confidential and may also be legally privileged. If you are not the intended recipient, please notify us, preferably by e-mail, and do not read, copy or disclose the contents of this message to anyone.