On Oct 29, 2003, at 12:54 AM, James Courtier-Dutton wrote:
The affix,"http://affix.sourceforge.net/";, bluetooth stack for linux
(Did they know what they were doing when they added the PF_AFFIX
protocol type for HCI SCO sockets, or was it a pure accident that
BTPROTO_HCISCO ends with "CISCO"? :-))
already has an interface to ethereal,
Their support is a bit, err, umm, odd.
The Ethereal patch contains:
1) a bunch of dissectors, which don't actually do any *capturing* - it
appears that the HCI dissector registers itself with Ethertype 0xb123,
so it appears to assume that the packets in the capture look like
Ethernet packets, with the Bluetooth stuff inside Ethereal payload;
2) a "capture-affix-pcap.c", which appears to be the "load WinPcap at
run time" code, modified to load a UNIX-style "libpcap.so" at run time.
2) seems not to be particularly useful - if you've dynamically-linked
Ethereal, it should *already* load "libpcap.so" at start-up time (at
least if ".so" is your OS's dynamically-linked library suffix). It
also doesn't appear to include any code to *call* the routine to load
"libpcap.so" at run time.
I assume that the affix people have a modified version of libpcap that
uses some mechanism (Bluetooth sockets?) to capture Bluetooth packets;
however, it doesn't appear to be in the Ethereal patch for affix, nor
can I find it in either the affix-kernel-2.0.2 or the affix-2.0.2
stable or testing tarballs.
So I don't see any evidence of any support for Bluetooth capture with
Ethereal, unless they've cleverly hidden their modified libpcap
somewhere.