Wireshark-dev: Re: [Wireshark-dev] Questions about dev

From: "Neha Chahal" <neha.chahal@xxxxxxxxx>
Date: Tue, 7 Nov 2006 12:12:56 -0800
On 11/7/06, Guy Harris <guy@xxxxxxxxxxxx> wrote:
Neha Chahal wrote:

> The format of the file is binary

"Binary" isn't a format for a packet capture; there are several capture
file formats, all of which are binary, but they're not all the same.
What *specific* binary format is it?

Is this some standard format (libpcap format as used by
tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
format, Microsoft Network Monitor format, Sun snoop format, etc.), or is
it some format you or somebody else has created?

Yes it is "not" one of these formats. The packets are in LEA binary format.

> and the protocol is LEA.

What protocol is that?

Law Enforcement Agency protocol for call tracing(lawful intercept protocol)


> It is a protocol at the application layer. So it is the top  most protocol.

What protocol does it run atop?  TCP?  UDP?  Some other protocol?


On top of UDP for my application.

> So I have to implement both. Is that true?

Yes, you have to implement both read and seek_read functions.

> So my read routine is returning the packet in wth->frame_buffer. But I
> have not implementes the seek_read. The README.dev says "implement
> seek_read if necessary". What does this mean?

It means that the documentation hasn't been updated to indicate that
there's no longer a "default" seek_read routine that a file format
module can use, so modules always have to have their own seek_read
routine.  (I've just checked in a change to wiretap/README.developer to
fix that.)

> When is it necessary?

Always.

> My packets dont have any transport layer headers. They are in the
> format I have specified in the dissector. So this is the way my packet
> looks like.
>
> fixed header
> payload header
> variable length payload

So are you saying that the *ONLY* protocol in the packet is this "LEA"
protocol?

Yes, only LEA.


> In the dissector I have given protocol details starting from the fixed
> header. So the packet that I return in the wth->frame_buffer should
> start from the fixed header to the end of the payload. Is this
> correct?

Yes.

> Where should the data offset point. At the payload header or at the
> fixed header ?

At the fixed header - it's the offset to which the seek_read routine
would need to seek to get the entire packet.

okay.

So once I am done doing these changes. How do I test my changes?
Should I do a make install. And then run tethereal on my binary file.
Currently I am working on the ethereal tar, I downloaded.

Thank you very much, forgive me if I sound stupid. But I am very new
to ethereal/wireshark.

--Neha
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev



--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414