Hi,
I'm in the process of adding support for the NetScreen snoop file format.
The basics are already finished (see bug 1717). Right now I'm working
on selecting the right link-layer type for each packet as packets from
different types of interfaces can be in the same file. On top of showing
every packet with the proper WTAP_ENCAP type it would of course be great
to preserve the provided interface-name and the direction of the traffic
as they are present in the dump-file:
6844308.0: adsl1(i) len=86:000800300000->00121ebbd139/8889
194.109.5.241 -> 213.84.244.33/41
vhl=45, tos=00, id=53048, frag=0000, ttl=27 tlen=84
00 21 45 00 00 54 cf 38 00 00 1b 29 3e 74 c2 6d .!E..T.8...)>t.m
05 f1 d5 54 f4 21 60 00 00 00 00 18 3a ff fe 80 ...T.!`.....:...
00 00 00 00 00 00 02 30 48 ff fe 41 3c 32 fe 80 .......0H..A<2..
I can think of several ways to display the interface name and traffic
direction:
- Make use of a pseudo-header. This can be done fairly easy I think if
I look at the code for other fileformats. The downside is that every
file-format will have it's own pseudo-headers containing the same info.
This makes it hard to use it as a column (which would be great IMHO).
- Insert extra fields in the frame dissector so that the code for each
file-format can use these fields and they can be used as columns.
- Make use of PPI (Per Packet Information). I have looked at it a bit and
I think it could facilitate these two fields, but they have to be
defined. Also I think this will be the most difficult to implement
(at least for me). If I understand correctly, this will however
also add the possibility to preserve these fields when the file
is "saved as...".
Are there any oter ideas on how to display interface-names and
traffic-direction within Wireshark? What would be the prefered way
of creating this functionality?
Cheers,
Sake