["Douglas Pratley" <Douglas.pratley@xxxxxxxxxx>]

Hi guys

 

At the moment, if Wireshark comes across an unexpected data-link level type in the global header when reading a PCAP file, it completely rejects the file. This doesn’t allow the user to apply any intelligence, e.g. by manipulating the “wtap_encap” dissector table using Lua.

 

A quick hack prototype suggests that it is possible to read unknown or mis-labelled data; the frame dissector just hands it off to the data dissector.

 

a) Would adding an option allowing unrecognised data to be read in from a PCAP file cause any side-effects that I haven’t spotted? The only changes other than setting up the option would be in libpcap.c:libpcap_open, so that it would continue processing an unrecognised type.

 

b) What would the best way be of adding this option? My first thought was to make it a preference, but the wiretap library has no dependencies on the epan module where the preferences are. It looks like it would take some careful wiring to add in the option without introducing a dependency (which I think would break some of the apps). Setting up a new (non-protocol) preference might also have to be duplicated across tshark and wireshark, which is ugly.

 

Cheers

 

Doug

__________________________________________
Douglas Pratley
t +44 845 050 7640 | f +44 845 644 5436
a Detica | PO Box 383 | Horley | Surrey | RH6 7WX | UK
______________________________________________
www.detica.com

 

This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies.

Detica Limited is registered in England under No: 1337451.

Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.