Thank you very much for your valuable
inputs. Here is my update >>>>
What types of packets do you have in your
file format?
The packets can be of
ETHERNET, ATM, RAW IP, etc. and packets are for link layer types that Wireshark
already understands.
I will have a live
capture of packets and send those packets continuously to Wireshark through IPC
mechanism. A magic value is added to packets.
So can
those packets be decoded inside wireshark using the wtap “open”, “read”,
“seek and read”? Should I have to write a new dissector?
Please
help.
Thanks & Regards,
Sajit
From: Guy Harris <guy ()
alum mit edu>
Date: Fri, 19 Feb 2010
11:21:42 -0800
I have my own file format. Now using the
“open”, “read” and “seek and read” of wtap,
can I decode the whole file.
What types of packets do you have in your
file format?
If they're packets for a link-layer
protocol that Wireshark already understands, then you just need to have Wiretap
return the right WTAP_ENCAP_ value for
that protocol. For example, if they're Ethernet packets, use
WTAP_ENCAP_ETHERNET.
If they're packets for a link-layer
protocol that Wireshark *doesn't* already understand, you would need to:
add a new WTAP_ENCAP_ value for that protocol;
write a new dissector for that protocol, and have it register itself in the
"wtap_encap" dissector table with
the new WTAP_ENCAP_ value;
possibly write dissectors for the
protocols that run atop that protocol, if there are any and Wireshark doesn't
already have dissectors for them (if there
are some, and Wireshark *does* have dissectors for them, you would have to
arrange that your dissector can call them).
Hi Sir,
I have my own file format. Now using the “open”,
“read” and “seek and read” of wtap, can I decode the
whole file.
If yes, please tell me the detailed procedures.
Thanks & Regards,
Sajit
