ken williams wrote:
I tried some of the captures on the link that you suggested and they were
decoded once I had enabled the protocols.
OK, so the reason why it reported a WTAP_ENCAP value of 1 as UNKNOWN is
that it *was* unknown - you'd presumably disabled the Ethernet protocol.
Now let me see if I have got this right.
text2pcap uses the library Wiretap in order to interpret the protocols
No.
text2pcap writes out a libpcap-format file, which means that the
link-layer protocols it can handle are those supported by the libpcap
file format.
The files are then read, in Ethereal (and Tethereal, and some of the
utilities that come with Ethereal), by the Wiretap library. That
library can also read a number of non-libpcap capture file formats, and
support can be added for additional capture file formats.
and that the gsm protocols are not in the library
There are two issues here:
1) there is no libpcap link-layer protocol code for any GSM protocol
and
2) there is no Wiretap encapsulation code for any GSM protocol.
and therefor it will not work.
I need to add gsm support to the library in order to use the text2pcap program.
At minimum, you need to add a Wiretap encapsulation code for whatever
GSM protocol is at the link layer in your trace file.
However, that's not sufficient, if you're using text2pcap. You would
also need to request a new link-layer protocol code (called a DLT_
value, as the names begin with DLT_) from tcpdump.org by sending mail to
tcpdump-workers@xxxxxxxxxxx, and, once you've gotten that (which should
happen fairly quickly if you indicate what protocol it is, so that we
can find the specification for the protocol), you would have to add to
the Wiretap code for reading libpcap files (or, rather, to the table it
uses for mapping DLT_ values to Wiretap encapsulation codes) a mapping
from the new DLT_ value and the new Wiretap encapsulation code.
If, rather than using text2pcap, you added to Wiretap the ability to
directly read the proprietary traces, you'd only need to have the code
to read those traces return the new encapsulation code value for
captures using that GSM protocol.
In either case, you would then have to have the dissector for that GSM
protocol register itself in the "wtap_encap" dissector table with the
new Wiretap encapsulation code (assuming such a dissector exists; if it
doesn't, you'd have to write one and add it to Ethereal).
I assume then that text2pcap adds a protocol identifier in the pcap file.
As text2pcap writes libpcap files, and as libpcap files have, in the
file header, a DLT_ value indicating the link-layer protocol for the
packets in the file.
I am using a binary distro for windows at the moment but am attempting to build
ethereal on linux at home so that I can debug.
If you are going to do any of the stuff I mention above, you will *have*
to be able to build Ethereal on whatever platforms you will be using it
to read your mobile phone traces, as that stuff involves changing the
source code and rebuilding Ethereal.
Note that if you don't contribute the changes back to us, you will have
to maintain them yourself, and merge them into your private version of
Ethereal whenever you pick up a new release of Ethereal.