zhangxian 33234 wrote:
I already have the data of some protocol which ethereal
supported. Such as the data of ISUP, of V5UA ,of ANSI-41D etc.. I
want to constructed a capture file for those data so that ethereal
can decode them . Now I am woking on constructing a capture file for
my data. And I got big problems.
I have a part of ISUP data. I want to dissect it with Ethereal. I add
a capture file header in front of the ISUP data and constructed a
capture file for it. Then dissect it with Ethereal. When I add a capture
file header to the ISUP data. I must modify "data link type field" to
designate which one of the data (of ISUP ) belong to. In this example, I
modified the "data link type" (guint32 network; /* data link type
*/)value to 0x8D(the ISUP file format already supports storing MTP2 or
MTP3 directly).
Actually, that's not an ISUP file format - there are two link-layer
types, one for MTP2 and one for MTP3.
If the file has a link-layer type of 140, for MTP2, then each packet
must begin with an MTP2 header, with the payload of the packet, after
the MTP2 header, containing an MTP3 header, and with the payload after
that being specified by the service indicator in the MTP3 header, which
would be 5 for ISUP.
If it has a link-layer type of 141 (0x8D, but link-layer types are
usually written in decimal, not hexadecimal), for MTP3, then each packet
must begin with an MTP3 header.
So if you just have ISUP data, you'd have to construct an MTP3 header,
and write that header in the packet data, before the ISUP packet.
There's currently no link-layer type value in libpcap format for V5UA;
Ethereal only dissects V5UA atop SCTP (RFC 3807 seems to indicate that
it's intended to run atop SCTP). To have Ethereal dissect V5UA traffic,
you'd have to add an IP and SCTP header, and use DLT_RAW (101).
If ANSI-41D is in ANSI MAP, you'd have to add a stack of headers (MTP3,
SCCP, TCAP) in front of the ANSI MAP data, and use a link-layer type of
141 - or write support for link-layer type 142 as SCCP, and just add
SCCP and TCAP headers.
When I want to validate a different protocol every time,
I need to check which protocol category the protocol belong to in
Ethereal. So I can modify corresponding data link type field. But how to
check which "data link type" a protocol belong to when loading a capture
file header?
Most protocols Ethereal can dissect don't have data link types to which
they belong. libpcap format isn't intended to contain, as the top-level
protocol, arbitrary protocols - it's intended to contain traffic with
headers starting at the link layer or the IP layer. If you want to be
able to dissect arbitrary protocol data without including headers for
all the protocol layers below that protocol, you'd either have to ask
tcpdump-workers@xxxxxxxxxxx for every protocol you want to put into
libpcvap or construct your own capture file format and write support for
that capture file format in Ethereal.