Guy Harris wrote:
On Tuesday, July 8, 2003, at 2:04 PM, Jeff Morriss wrote:
1) What is the fake link layer?
---------------------------------
The fake link layer is a dissector in Ethereal that allows Ethereal to
read
a capture file (in PCAP format: fake link has (TODO: will have) its own
DLT_ file format identifier reserved in libpcap) that contains some
protocol
layer without any of the lower level protocol parts (headers,
trailers) on it.
Examples include MTP3 without the MTP2 header or SCCP without MTP3 (or
below).
A (TODO: bad?) non-SS7 example would be TCP without IP (and without
Ethernet).
Why? Because there are some protocols that Ethereal understands most
of but
could not (prior to Fake Link) decode directly because those protocols
don't
run over a link layer that Ethereal understands. A good example of
this is
SS7: Ethereal understands a good number of the SS7 protocols because
people
have developed dissectors for use with SIGTRAN (SS7 over IP) but Ethereal
can not capture directly from SS7 links.
It can't capture directly from ISDN links, either, but it does
understand ISDN links, at least at the level of frame plus channel
number (the D channel is dissected as LAPD; the B channel is dissected
as V.120 or PPP-in-HDLC-like-encapsulation, depending on heuristics).
The same applies to SDLC.
It understands those link layers because it can read captures from other
network analyzers that can do that (because they have hardware pods to
do so, as in the case of, for example, a Network Associates Sniffer(R)).
Good point. In fact we don't have any standardized file format that we
can (easily) use, so we're try to just use the PCAP file format(s).
3) How to write a fake link layer PCAP file?
----------------------------------------------
There are 2 methods that you can use to write out a fake link PCAP
capture
file: by using the Wiretap library (part of Ethereal) or by writing
the file
out directly from your application. It would make sense that libpcap
could
be used directly (which could be advantageous since it has a BSD
license) but
the APIs for libpcap do not seem to allow writing protocol packets to
a file
directly (it seems geared more towards capture-and-writing).
You could, with more recent versions of libpcap, probably cheat by
calling "pcap_open_dead()" and using the pcap_t * you get back from that
as the argument to "pcap_dump_open()".
Okay, yes, that works well, too... Thanks for the pointer.
Does anybody have any thoughts on what direction to take with this?
I'm leaning towards asking 'tcpdump-workers' for some new LINKTYPE_
definitions:
LINKTYPE_MTP2
LINKTYPE_MTP3
LINKTYPE_SCCP (Navin, I assume you want this one? I don't need it)
and ditch the "fake link" dissector for now. (But I'd like some level
of agreement before doing so.)
Regards,
-Jeff