Wireshark-dev: Re: [Wireshark-dev] capturing data from a propietary device

Date: Tue, 10 Jul 2007 17:17:52 -0400

wireshark-dev-bounces@xxxxxxxxxxxxx wrote on 07/10/2007 05:00:59 PM:

> Fulko.Hew@xxxxxxxxx schrieb:
> > I'm trying to figure out how to format (or where to place the data)
> > in the pcap buffer when capturing my WAN protocols.
> >
> > I've built a system that will capture the data and feed it via pcap to
> > wireshark,
> > and I've got it working for Ethernet data and for frame relay data, but
I'm
> > having
> > trouble dealing with getting the proprietary data into wireshark intact
so
> > that
> > I can later write a disector.
> >
> > (I'm going to test everything out before submitting my requests for a
set
> > of DLT_
> > mumbers for these protocols.  In the mean time, I've just taken the
next
> > few
> > currently un-assigned ones while I work on my code).
> >
> > The trouble is that I don't know what values to put into: off_linktype,
> > off_nl
> > and off_nl_nosnap for my DLT cases. (And I think thats where my problem
> > lies.)
> >
> > Right now, the first thing in each received buffer is the typical 16
bytes
> > of:
> > timestamp_sec, timestamp_usec, capture_len, pkt_len, which is
> > followed by 'n' bytes of my protocol's data.
> >
> >
> >
> > Here's the stuff that I captured and fed into pcap/wireshark:
> >
> > Pkt 1 hdr : 46 93 ae 55  00 0c df 4b  00 00 00 0b  00 00 00 0b
> >             \---------/  \---------/  \---------/  \---------/
> >              timestamp    timestamp   capture len  packet len
> >
> > Pkt 1 data: 01 02 03 01 47 50 70 03 64 7f 7f
> >             \------------------------------/
> >             0xb bytes of my captured data
> >
> >
> > Pkt 2 hdr : 46 93 ae 56 00 02 3b 7e 00 00 0b 00 00 00 0b
> > Pkt 2 data: 01 02 03 01 3b 50 70 03 18 7f 7f
> >
> > Pkt 3 hdr : 46 93 ae 56 00 06 dd db 00 00 00 0b 00 00 00 0b
> > Pkt 3 data: 01 02 03 01 47 50 70 03 64 7f 7f
> >
> > ...
> >
> >
> > When Wireshark goes to display it, the Protocol column says 'unknown',
> > which I can understand, because I don't have any disectors for that
> > DLT (WTYP_ENCAP) type yet.
> >
> > The Info column says WTAP_ENCAP = 94.
> > (I don't see where it gets the value of '94' from.)
> >
> > The summary pane (for the first message) says:
> >
> > Frame 1 had (6 bytes on wire, 6 bytes captured)
> > Data (6 bytes)
> >
> > and the (related) detail pane says:
> >
> > 0000  7f 56 ae 93 46 7e
> >
> >
> > I can reverse engineer (see that data pattern in the header of the 2nd
data
> > message), but I don't know why its looking in there, and why it thinks
> > there is only 6 bytes of data, and why its looking at it with the
endianess
> > it is.
> >
> >
> > For the life of me, I can't figure out what I'm doing wrong,
> > to cause Wireshark to go looking in there.
> >
> > I have tried to look through docs and mailing lists,
> > but I haven't found anything to help me yet.  :-(
> >
> Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat?


Yes, I did, and I am in theory following it.
The difference is that the document refers to the 'file format' and not
the live stream, so the global header is not applicable.  This information
is (somehow) exchanged in a different manner via DLT_xxx and WTAP_ENCAP_xxx

Looking at in more detail... either my DLT_xxx isn't being propogated into
Wireshark
or my WTAP_ENCAP_xxx in Wireshark isn't being followed, or there's a
disconnect
somewhere.

But presuming that I get the DLT and WTAP to line up, I still don't know
what values to put into off_linktype, off_nl and off_nl_nosnap on the pcap
side
of things.




This document is strictly confidential and intended only for use by the addressee unless otherwise stated.  If you are not the intended recipient, please notify the sender immediately and delete it from your system.