On Tuesday, July 8, 2003, at 2:04 PM, Jeff Morriss wrote:
1) What is the fake link layer?
---------------------------------
The fake link layer is a dissector in Ethereal that allows Ethereal to
read
a capture file (in PCAP format: fake link has (TODO: will have) its own
DLT_ file format identifier reserved in libpcap) that contains some
protocol
layer without any of the lower level protocol parts (headers,
trailers) on it.
Examples include MTP3 without the MTP2 header or SCCP without MTP3 (or
below).
A (TODO: bad?) non-SS7 example would be TCP without IP (and without
Ethernet).
Why? Because there are some protocols that Ethereal understands most
of but
could not (prior to Fake Link) decode directly because those protocols
don't
run over a link layer that Ethereal understands. A good example of
this is
SS7: Ethereal understands a good number of the SS7 protocols because
people
have developed dissectors for use with SIGTRAN (SS7 over IP) but
Ethereal
can not capture directly from SS7 links.
It can't capture directly from ISDN links, either, but it does
understand ISDN links, at least at the level of frame plus channel
number (the D channel is dissected as LAPD; the B channel is dissected
as V.120 or PPP-in-HDLC-like-encapsulation, depending on heuristics).
The same applies to SDLC.
It understands those link layers because it can read captures from
other network analyzers that can do that (because they have hardware
pods to do so, as in the case of, for example, a Network Associates
Sniffer(R)).
3) How to write a fake link layer PCAP file?
----------------------------------------------
There are 2 methods that you can use to write out a fake link PCAP
capture
file: by using the Wiretap library (part of Ethereal) or by writing
the file
out directly from your application. It would make sense that libpcap
could
be used directly (which could be advantageous since it has a BSD
license) but
the APIs for libpcap do not seem to allow writing protocol packets to
a file
directly (it seems geared more towards capture-and-writing).
You could, with more recent versions of libpcap, probably cheat by
calling "pcap_open_dead()" and using the pcap_t * you get back from
that as the argument to "pcap_dump_open()".