Fulko.Hew@xxxxxxxxx schrieb:
I'm trying to figure out how to format (or where to place the data)
in the pcap buffer when capturing my WAN protocols.
I've built a system that will capture the data and feed it via pcap to
wireshark,
and I've got it working for Ethernet data and for frame relay data, but I'm
having
trouble dealing with getting the proprietary data into wireshark intact so
that
I can later write a disector.
(I'm going to test everything out before submitting my requests for a set
of DLT_
mumbers for these protocols. In the mean time, I've just taken the next
few
currently un-assigned ones while I work on my code).
The trouble is that I don't know what values to put into: off_linktype,
off_nl
and off_nl_nosnap for my DLT cases. (And I think thats where my problem
lies.)
Right now, the first thing in each received buffer is the typical 16 bytes
of:
timestamp_sec, timestamp_usec, capture_len, pkt_len, which is
followed by 'n' bytes of my protocol's data.
Here's the stuff that I captured and fed into pcap/wireshark:
Pkt 1 hdr : 46 93 ae 55 00 0c df 4b 00 00 00 0b 00 00 00 0b
\---------/ \---------/ \---------/ \---------/
timestamp timestamp capture len packet len
Pkt 1 data: 01 02 03 01 47 50 70 03 64 7f 7f
\------------------------------/
0xb bytes of my captured data
Pkt 2 hdr : 46 93 ae 56 00 02 3b 7e 00 00 0b 00 00 00 0b
Pkt 2 data: 01 02 03 01 3b 50 70 03 18 7f 7f
Pkt 3 hdr : 46 93 ae 56 00 06 dd db 00 00 00 0b 00 00 00 0b
Pkt 3 data: 01 02 03 01 47 50 70 03 64 7f 7f
...
When Wireshark goes to display it, the Protocol column says 'unknown',
which I can understand, because I don't have any disectors for that
DLT (WTYP_ENCAP) type yet.
The Info column says WTAP_ENCAP = 94.
(I don't see where it gets the value of '94' from.)
The summary pane (for the first message) says:
Frame 1 had (6 bytes on wire, 6 bytes captured)
Data (6 bytes)
and the (related) detail pane says:
0000 7f 56 ae 93 46 7e
I can reverse engineer (see that data pattern in the header of the 2nd data
message), but I don't know why its looking in there, and why it thinks
there is only 6 bytes of data, and why its looking at it with the endianess
it is.
For the life of me, I can't figure out what I'm doing wrong,
to cause Wireshark to go looking in there.
I have tried to look through docs and mailing lists,
but I haven't found anything to help me yet. :-(
Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat?
Regards, ULFL