Ethereal-dev: Re: [Ethereal-dev] Trying to add new format file
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Miklos Szurdi <szurdimiklos@xxxxxxxxx>
Date: Wed, 17 Nov 2004 08:46:42 -0800 (PST)
i will try to summarize this thing for you
a small how to on this as it may be interesting for others to
there is a readme on this in the wiretap library (README.developer)
as it says it is very short and very dirty....but very useful!!!!!!
as it says it is very short and very dirty....but very useful!!!!!!
you have to write to files:
your_dumpfile.h
this has to look like exactly radcom.h for example
your_dumpfile.c
this has to look like very similar to radcom.c for example
(these radcom files with little c coding knowledge are easy to interpret)
you need to write in to three existing files (in wiretap):
/****************************************/
In file_access.c ,add your header file to this list:
#include "wtap-int.h"
...
...
#include "network_instruments.h"
#include "your_dumpfile.h" /*this is your header file*/
and to this:
static int (*const open_routines[])(wtap *, int *, char **) = {
/* Files that have magic bytes in fixed locations. These
* are easy to identify.
*/
libpcap_open,
...
/* Files that have magic bytes in fixed locations. These
* are easy to identify.
*/
libpcap_open,
...
airopeek9_open,
your_dumpfile_open, /*if your dump file uses some magic number, if not than you still have to put in the same array but somewhere else...it is evident from file_access.c */
your_dumpfile_open, /*if your dump file uses some magic number, if not than you still have to put in the same array but somewhere else...it is evident from file_access.c */
}
dump_open_table[WTAP_NUM_FILE_TYPES] = {
/* WTAP_FILE_UNKNOWN */
{ NULL, NULL,
NULL, NULL },
....
/* WTAP_FILE_UNKNOWN */
{ NULL, NULL,
NULL, NULL },
....
/* WTAP_FILE_YOUR_DUMPFILE */
{ NULL, NULL,
NULL, NULL },
{ NULL, NULL,
NULL, NULL },
}
/********************************/
wiretap.h
what you should make with this file is in the readme
....
#define WTAP_FILE_EYESDN 39
#define WTAP_FILE_YOUR_DUMPFILE 40
/* last WTAP_FILE_ value + 1 */
#define WTAP_NUM_FILE_TYPES 41 /*dont forget to add one to this...*/
#define WTAP_FILE_YOUR_DUMPFILE 40
/* last WTAP_FILE_ value + 1 */
#define WTAP_NUM_FILE_TYPES 41 /*dont forget to add one to this...*/
....
/*********************************/
Makefile.common
find where is radcom.c and radcom.h and add yours to the same place...very obvious
on Linux you may have to run automake , autoconfig, and aclocal or something...i cant remember this part:(
"tricks" (no tricks just timesaving small things) not in wiretap/README.developer
in the your_dumpfile_open function:
wth->file_type = WTAP_FILE_YOURDUMP_FILE;
wth->file_encap = WTAP_ENCAP_SOMETHING; /*that should be something that is the basic protocol that your dump file has...not the dump file's own format...the possibilities are in the wtap.h file*/
wth->subtype_read = tektronix_read;
wth->subtype_seek_read = tektronix_seek_read;
wth->phdr.pkt_encap = wth->file_encap; /*this should be set to this...donno why*/
wth->snapshot_length = 0;
wth->file_encap = WTAP_ENCAP_SOMETHING; /*that should be something that is the basic protocol that your dump file has...not the dump file's own format...the possibilities are in the wtap.h file*/
wth->subtype_read = tektronix_read;
wth->subtype_seek_read = tektronix_seek_read;
wth->phdr.pkt_encap = wth->file_encap; /*this should be set to this...donno why*/
wth->snapshot_length = 0;
in function your_dumpfile_read(....long *data_offset...)
this value has to be set for the seek_read function to find the packet...
that is it for me....
radcom.c was a very easy to follow example for me...so i hope it will be for you
Gilbert Ramirez <gilbertr@xxxxxxxxx> wrote:
Gilbert Ramirez <gilbertr@xxxxxxxxx> wrote:
LIke I've said before, if the file you're reading is an hex-dump text
file, then your easiest option is to try to convert it to a pcap file
using text2pcap, a program that comes with ethereal. text2pcap has a
lot of options, but if the hexdump format cannot be read by text2pcap,
another option is to write a small program to convert your hexdump
format to a format that *is* readable by text2pcap. I did this for a
netscreen hexdump file... see tools/netscreen2dump.py in the ethereal
SVN repository ( I don't think it's in 0.10.7)
--gilbert
On 17 Nov 2004 13:52:31 -0000, harsha sswrote:
>
>
>
> Hi all,
> I am using the ethereal 0.10.7 version on linux machine.
> I want the ethereal to read the file of different format with a mix of
> the ascii and hex message.Ethereal gives unknown format to read such files.
> Please any one give suggetion to read such files and display the file
> contents in the ethereal window.
>
> regards
> Harsha
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
>
>
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
Do you Yahoo!?
Discover all that�s new in My Yahoo!
- References:
- Re: [Ethereal-dev] Trying to add new format file
- From: Gilbert Ramirez
- Re: [Ethereal-dev] Trying to add new format file
- Prev by Date: [Ethereal-dev] The Thing (MATE) - has anyone made any changes yet?
- Next by Date: [Ethereal-dev] TDS dissector changes (packet-tds.c)
- Previous by thread: Re: [Ethereal-dev] Trying to add new format file
- Next by thread: Re: Re: [Ethereal-dev] Trying to add new format file
- Index(es):