Ethereal-dev: Re: [Ethereal-dev] TZSP Patch
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 27 Dec 2002 16:08:10 -0800
On Thu, Dec 26, 2002 at 10:02:40PM -0800, Chris Waters wrote: > This patch is for the TZSP protocol. I have submitted it before, however > this time it is with a proper libpcap DLT value. Only link-layer protocols, such as Ethernet, get a DLT_ value. Presumably you don't have your own physical network type for TZSP, so you don't need a DLT_ value for it - you'd just write a dissector to run atop raw Ethernet, or UDP, or whatever protocol TZSP runs atop. If, however, you want to dissect the captures sent *over* TZSP, rather than dissecting the TZSP protocol *itself*, that would require a DLT_ value if the captures are written to a tcpdump-format file. However, if this is intended to be a protocol for sending *arbitrary* link-layer types, rather than just 802.11, using Ethereal WTAP_ENCAP values for the encapsulation is the wrong answer as: WTAP_ENCAP values are not guaranteed to remain the same over time; WTAP_ENCAP values don't just specify the encapsulation of the raw frame data - they also specify, in some cases, "pseudo-headers" that are constructed from both per-packet headers in the file format that are not part of the raw frame data and from raw frame data if the particular capture file format happens to put that sort of information in raw frame data; DLT_ formats for libpcap should not contain anything tied to Ethereal, because it should be possible for applications not based on Ethereal code to read captures in libpcap format. For example, WTAP_ENCAP_IEEE_802_11_WITH_RADIO specifies a pseudo-header for the radio information - in Sniffer Wireless captures, the radio information is stored in per-packet headers that aren't part of the raw frame data, and in AiroPeek captures, the radio information is stored in the beginning of the raw frame data. Wiretap hides those details from the 802.11 dissector, supplying to Ethereal a pseudo-header containing the radio information and raw frame data containing only the 802.11 frame, *not* any radio information. If the TZSP protocol is intended to be used for arbitrary link-layer types, the encapsulation type should be a DLT_ type. DLT_TZSP should instead be a DLT_ value for "802.11 plus the WSP100's TLV information", and new DLT_ values should be added as additional link-layer types are supported by it. (If the TZSP protocol is *not* intended to be used for arbitrary link-layer types, it needn't contain an encapsulation value at all.) Note, however, the recent tcpdump-workers discussion of the "to TLV or not to TLV" issue: http://www.tcpdump.org/lists/workers/2002/12/msg00108.html http://www.tcpdump.org/lists/workers/2002/12/msg00113.html http://www.tcpdump.org/lists/workers/2002/12/msg00116.html http://www.tcpdump.org/lists/workers/2002/12/msg00122.html in which Solomon Peachy gives the reasons why *his* "802.11 plus extra information" capture file format - supported by current-CVS libpcap (which just skips the extra information), current-CVS tcpdump (which just skips the extra information, although it could be made to print it), and current-CVS Ethereal (I forget whether it was checked in before 0.9.8 or not) - doesn't use TLVs. His format is documented in http://www.shaftnet.org/~pizza/software/capturefrm.txt Counter-arguments should be directed to Solomon, not to me; I'm CCing him in case either 1) he's not on ethereal-dev or 2) he didn't notice this thread. Note that a header containing TLVs, and no indication before the TLVs of the total length of all the TLVs, *cannot* be skipped by libpcap BPF filters when testing packet headers (thus making it impossible to use capture filters), as BPF does not support backwards branches (so that one cannot shove an infinite loop into the kernel; there *are* platforms on which non-privileged users can set BPF filters: % ls -l /dev/bpf* crw------- 1 guy wheel 23, 0 Jun 9 2002 /dev/bpf0 crw------- 1 guy wheel 23, 1 Jun 9 2002 /dev/bpf1 ), and thus BPF programs cannot loop. Solomon's header does have a length at the beginning, so libpcap could skip it (it currently skips it based on a hardwired length, but I may try to fix that for the release of libpcap after 0.8).
- Follow-Ups:
- Re: [Ethereal-dev] TZSP Patch
- From: Chris Waters
- Re: [Ethereal-dev] TZSP Patch
- References:
- [Ethereal-dev] TZSP Patch
- From: Chris Waters
- [Ethereal-dev] TZSP Patch
- Prev by Date: Re: [Ethereal-dev] Handling of TVBs
- Next by Date: RE: [Ethereal-dev] parsing the whole dir using ethereal for the error checking of p ackets
- Previous by thread: [Ethereal-dev] TZSP Patch
- Next by thread: Re: [Ethereal-dev] TZSP Patch
- Index(es):