Wireshark-dev: Re: [Wireshark-dev] using user specified dissectors for dlts

From: "Moheed Moheed Ahmad" <moheedm@xxxxxxxxx>
Date: Sat, 19 May 2007 02:35:21 +0530
Hi Luis,
 
Thanks for ur reply.
 
can I do something of like this.......
 
if( link_type == user_specific){ // (say WTAP_ENCAP_USER00 )
:
do what ever necessary to get the info u want ie start dissecting using user_dlts
:
}
 
But for this atleast one user dissector should be allowed to do capture on live packet.
 
Right now one can't set user_dissectors to capture live packet, though this works while reading from captured file.
 
What i m having is,
 
some_propreitary_header + ethernet pkt
and i want to do live capture for that.



 

On 5/19/07, Luis Ontanon <luis.ontanon@xxxxxxxxx> wrote:
I do not think you can use -y to set an arbitrary encapsulation type
when capturing (I guess that is for interfaces that can handle more
than one encapsulation e.g. a TDM interface might do HDLC, FR, X.25
etc...). I think your dissector should either register to "wtap_encap"
to handle WTAP_ENCAP_ETHERNET (1), or you should be first capturing
(dumpcap or tgcpdump -w xxx) and then forcing the DLT of the file to
be what you want (using editcap's -T).

Luis



On 5/18/07, Moheed Moheed Ahmad <moheedm@xxxxxxxxx > wrote:
>
> Hi luis,
> when i am trying to use the user specific dissector
> for datalinktype WTAP_ENCAP_USER00 (ie when running tshark with option -y
> 147)
> I am getting the following:
>
> Unable to set data link type.
> That DLT isn't one of the DLTs supported by this device.
> Please report this to the Wireshark developers.  (This is not a crash;please
> do not report it as such.)
>
>
>  there is a comment in capture_loop.c saying:
> /* setting the data link type only works on real interfaces */
> though, the intrface i am giving is eth0 interface on a linux m/c
>
> I have to call my dissector for dissecting ethernet pkts, when user is
> supplying option -y 147
>
> Please help me.
>
>
> Regards,
> Moheed Moheed Ahmad


--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan



--
Moheed Moheed Ahmad