Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] offline dissection of network protocols

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Tyson Key <tyson.key@xxxxxxxxx>
Date: Fri, 29 May 2009 13:32:21 +0100
Hi Selçuk, if you're doing anything involving multiple link types and Wireshark/dumpcap, you'll want to check out the enhanced pcap-ng file format support in the latest SVN versions of Wireshark. So it seems, mergecap doesn't support merging multiple link-layer types in pcap-ng files yet, although as a workaround, you can concatenate the files (dumped with dumpcap -n) in order of date/time created, and receive a usable result.

Otherwise, if you ended up with a "cooked" capture file (as produced by capturing on the Linux "any" pseudo-device), you'll only get useful data from some of the packets.

As with the pcap file format, I believe that the pcap_* APIs only let you work with one link-layer type at a time, although others are free to correct me on that, since I haven't worked with them directly.

I hope that helps,
Tyson.

On Fri, May 29, 2009 at 1:23 PM, Selçuk Cevher <cevhers@xxxxxxxxx> wrote:
Hi Everybody,
 
First of all, I am not sure if this is the right place to ask this question.
 
How can I determine the protocol running on data link layer (i.e., Ethernet, Wi-Fi 802.11, etc) while analyzing packets in a "merged" dumped file with pcap format if the pcap file contains a mixture of packets with various data link layer protocols ?
 
libpcap has pcap_datalink(...) function allowing us to determine the data link layer protocol for live capture -- it gets this information directly from the actual network interface that is sniffed on.
 
However, in the case of offline analysis, it seems pcap_datalink() will not work since it is not possible to know what kind of interface those packets came from.
 
Any idea ?
 
Thanks.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Fight Internet Censorship! http://www.eff.org
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube