Hi guys
At the moment, if Wireshark comes
across an unexpected data-link level type in the global header when reading a
PCAP file, it completely rejects the file. This doesn’t allow the user to apply
any intelligence, e.g. by manipulating the “wtap_encap” dissector table using
Lua.
A quick hack prototype suggests that
it is possible to read unknown or mis-labelled data; the frame dissector just
hands it off to the data dissector.
a) Would adding an option allowing
unrecognised data to be read in from a PCAP file cause any side-effects that I
haven’t spotted? The only changes other than setting up the option would be in
libpcap.c:libpcap_open, so that it would continue processing an unrecognised
type.
b) What would the best way be of
adding this option? My first thought was to make it a preference, but the
wiretap library has no dependencies on the epan module where the preferences
are. It looks like it would take some careful wiring to add in the option
without introducing a dependency (which I think would break some of the apps).
Setting up a new (non-protocol) preference might also have to be duplicated
across tshark and wireshark, which is ugly.
Cheers
Doug
__________________________________________
Douglas
Pratley
t +44 845 050 7640 |
f +44 845 644
5436
a Detica | PO Box 383
| Horley | Surrey | RH6 7WX | UK
______________________________________________
www.detica.com