Ethereal-users: Re: [Ethereal-users] lib-ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 12 Aug 2005 10:18:21 -0700
Jeetendra Singh wrote:
Am not sure whether such a support is there. I did go through the mailing list messages but couldn't find definite answers. DAG SS7 card doesn't support that for sure.
Libpcap 0.9.3, at least on Linux (and FreeBSD?), for "HDLC" captures, supports selecting from Cisco HDLC, PPP, Frame Relay, and MTP2 as link-layer types, and Ethereal should be able to read DLT_MTP2 captures. WinPcap also appears to include DAG support, but I don't see anything for MTP2.
For Intel's Septel card, if somebody has done that, I would really be interested but I don't see it in Ethereal distribution?
Remember, I said that much of this belongs in libpcap; check libpcap 0.9.3. It captures MTP2 traffic as DLT_MTP2, which Ethereal should be able to read.
By proprietary information, (and if I may use the example quoted for SS7 above), I mean the time slot information, the card information, the port number etc. This information is not carried in the frame, so this information has to go in a proprietary way
"Proprietary" in what sense? It doesn't have to be "proprietary" in the sense of "secret and undocumented".
If that information is supplied on a per-packet basis, the way it's traditionally supplied in libpcap-format capture files is via a "pseudo-header"; the packet data would consists of a pseudo-header followed by the packet data, with the packet data containg information such as the time slot number (in a standard byte order, preferably).
This would require a new libpcap DLT_ value, but they're given out fairly freely - just ask tcpdump-workers@xxxxxxxxxxx for one, giving a description of the use.
In addition, another requirement can be to allow user to put filters on the basis of this proprietary information itself.
If you mean "capture filters", that would be done in libpcap; that can be added. 

If you mean "display filters", that's up to the dissector.
Lets assume, I would not like to use GUI or a file to get the captured and filtered data. I would like to *automate* my analysis of filtered data partly because my requirement is to do the analysis in real-time.
That might be done with a tap in Tethereal. Do a live capture, and run with "-q" if you don't want information about individual packets to be printed, and have the tap process the information as it receives it.