Wireshark-dev: Re: [Wireshark-dev] capturing data from a propietary device

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Wed, 11 Jul 2007 01:45:13 +0200
Fulko.Hew@xxxxxxxxx schrieb:
Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat?
Yes, I did, and I am in theory following it.
The difference is that the document refers to the 'file format' and not
the live stream, so the global header is not applicable.  This information
is (somehow) exchanged in a different manner via DLT_xxx and WTAP_ENCAP_xxx
Well, how do you try to "inject" stuff into WS then? Do you use a pipe, emulate (enhance) libpcap, emulate (exchange) dumpcap or what are you doing?

Without knowing at which "edge" you're docking to Wireshark it's pretty difficult to determine how the format should look like.
Looking at in more detail... either my DLT_xxx isn't being propogated into
Wireshark
or my WTAP_ENCAP_xxx in Wireshark isn't being followed, or there's a
disconnect
somewhere.

But presuming that I get the DLT and WTAP to line up, I still don't know
what values to put into off_linktype, off_nl and off_nl_nosnap on the pcap
side
of things.




This document is strictly confidential and intended only for use by the addressee unless otherwise stated.  If you are not the intended recipient, please notify the sender immediately and delete it from your system.

If you read this message, destroy yourself ;-)

Regards, ULFL