ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] writing non-Ethernet pcapng files

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Aaron Turner <synfinatic@xxxxxxxxx>
Date: Thu, 21 May 2009 15:48:31 -0700
Looks like there was a bug where WTAP codes weren't being properly
converted to DLT types and since ethernet == ethernet, that worked,
but most everything else didn't.

I've attached a patch which I've tested with HDLC, 802.11, 802.11 w/
radio headers and Juniper Ethernet.  The first three work just fine,
but Wireshark isn't properly decoding the Juniper Ethernet pcapng file
even though it appears correctly formatted:

0000000: 0a0d 0d0a 1c00 0000 4d3c 2b1a 0100 0000  ........M<+.....
0000010: ffff ffff ffff ffff 1c00 0000 0100 0000  ................
0000020: 1400 0000 b200 0000 dc05 0000 1400 0000  ................
0000030: 0600 0000 8400 0000 0100 0000 2f69 0400  ............/i..
0000040: d61a b423 6400 0000 6400 0000 4d47 4380  ...#d...d...MGC.

As you can see at offset 0x24-25, the encoded DLT is 178  which is
Juniper Ethernet, but capinfos/Wireshark is returning Unknown.  I
haven't bothered to track down why wireshark (latest 1.1.x from svn)
handles this for pcap but not pcapng.

Side note: I thought wireshark coding standard was to uses spaces and
not tabs, but pcapng.c seemed to be tabbed so I maintained that.  If
someone wants me to do differently, let me know.


-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin



On Thu, May 21, 2009 at 1:39 PM, Aaron Turner <synfinatic@xxxxxxxxx> wrote:
> On Thu, May 21, 2009 at 1:06 PM, Michael Tüxen
> <Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
>> Hi Aaron,
>>
>> I see what you mean. I'm using pcapio.[ch] in dumpcap,
>> so I'm using WTAP_ENCAP_PER_PACKET...
>>
>> Can you file a bug report at https://bugs.wireshark.org/bugzilla/
>> such that it does not get forgotten. Please describe
>> what you want to get working (possibly providing the
>> input file). Then it does not get lost.
>>
>> I will look at it after finishing the capturing support,
>> if no one else takes the issue earlier.
>
> Well looks like it was more work then I thought... converting from
> pcap to pcapng looses the ecapsulation type for some reason (at least
> with my HDLC test).  I'm going to see if I can dig around and figure
> out what's going on.
>
> --
> Aaron Turner
> http://synfin.net/
> http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
>    -- Benjamin Franklin
>

Attachment: pcapng-export.patch
Description: Binary data

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube