Wireshark-dev: Re: [Wireshark-dev] Fun with Cisco DLT-value usage

From: Andrej Mikus <wireshark-dev@xxxxxxxx>
Date: Wed, 21 Mar 2007 00:10:50 +0100
I believe the issue could be reported to Cisco TAC requesting
correction, instead of hacking heuristics. At the other hand,
did they announce somewhere that they are using libpcap format?

I was googling a bit and found indications how to convert the file
http://www.gossamer-threads.com/lists/engine?post=56109;list=cisco

In one post is mentioned also that upcoming SW release is expected to
create pcap files.

Andrej


On Thu, 15.Mar.07 20:30:01 -0700, Guy Harris wrote:
> 
> On Mar 15, 2007, at 8:06 PM, Jeff Morriss wrote:
> 
> > I suppose you'll need heuristics like those described in the (long)
> > comments in "wiretap/libpcap.c".
> 
> Or like the ones in epan/dissectors/packet-null.c.
> 
> Now, if only the fine folks at Cisco had seen some other comments in  
> that file, such as
> 
> /*
>   * Either LBL NRG wasn't an adequate central registry (e.g., because of
>   * the slow rate of releases from them), or nobody bothered using them
>   * as a central registry, as many different groups have patched libpcap
>   * (and BPF, on the BSDs) to add new encapsulation types, and have  
> ended
>   * up using the same DLT_ values for different encapsulation types.
>   *
>   * For those numerical encapsulation type values that everybody uses  
> for
>   * the same encapsulation type (which inclues those that some platforms
>   * specify different DLT_ names for but don't appear to use), we map
>   * those values to the appropriate Wiretap values.
>   *
>   * For those numerical encapsulation type values that different libpcap
>   * variants use for different encapsulation types, we check what
>   * <pcap.h> defined to determine how to interpret them, so that we
>   * interpret them the way the libpcap with which we're building
>   * Wireshark/Wiretap interprets them (which, if it doesn't support
>   * them at all, means we don't support them either - any capture files
>   * using them are foreign, and we don't hazard a guess as to which
>   * platform they came from; we could, I guess, choose the most likely
>   * platform).
>   *
>   * Note: if you need a new encapsulation type for libpcap files, do
>   * *N*O*T* use *ANY* of the values listed here!  I.e., do *NOT*
>   * add a new encapsulation type by changing an existing entry;
>   * leave the existing entries alone.
>   *
>   * Instead, send mail to tcpdump-workers@xxxxxxxxxxx, asking for a new
>   * DLT_ value, and specifying the purpose of the new value.  When you
>   * get the new DLT_ value, use that numerical value in the "dlt_value"
>   * field of "pcap_to_wtap_map[]".
>   */
> 
> or
> 
>          /*
>           * To repeat:
>           *
>           * If you need a new encapsulation type for libpcap files, do
>           * *N*O*T* use *ANY* of the values listed here!  I.e., do *NOT*
>           * add a new encapsulation type by changing an existing entry;
>           * leave the existing entries alone.
>           *
>           * Instead, send mail to tcpdump-workers@xxxxxxxxxxx, asking  
> for
>           * a new DLT_ value, and specifying the purpose of the new  
> value.
>           * When you get the new DLT_ value, use that numerical value in
>           * the "dlt_value" field of "pcap_to_wtap_map[]".
>           */
> 
> or, in the bpf.h that comes with libpcap:
> 
> /*
>   * Data-link level type codes.
>   *
>   * Do *NOT* add new values to this list without asking
>   * "tcpdump-workers@xxxxxxxxxxx" for a value.  Otherwise, you run the
>   * risk of using a value that's already being used for some other  
> purpose,
>   * and of having tools that read libpcap-format captures not being able
>   * to handle captures with your new DLT_ value, with no hope that they
>   * will ever be changed to do so (as that would destroy their ability
>   * to read captures using that value for that other purpose).
>   */
> 
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev