In the previous version of Wireshark, the conversion from ERF to libpcap
was like this:
For TYPE_ATM, TYPE_AAL5
WTAP_ENCAP_ATM_PDUS;
or WTAP_ENCAP_ATM_RFC1483;
or WTAP_ENCAP_ATM_PDUS_UNTRUNCATED;
For TYPE_ETH:
WTAP_ENCAP_ETHERNET;
For TYPE_HDLC_POS:
WTAP_ENCAP_PPP
or WTAP_ENCAP_CHDLC);
For other Type
WTAP_ENCAP_UNKNOWN
Since wireshark-0.99.8, the encapsulation is always WTAP_ENCAP_ERF
(DLT_ERF).
The main reason for this change, was to keep all the informations
contained in the ERF header.
An other reason, is that the new ERF types are not taken into account
for format conversion, and there is no possibility to deduce the
datalink from the ERF type. That's why, the user has to select the
protocol to use for the decoding of the ERF type in the preferences.
For the present case, wireshark is used to convert an ERF file to a
libpcap format, and then, the converted file is injected in a sniffer
using a capture filter. As said by Guy, the capture filter for "ip" is
not implemented for the datalink DLT_ERF. Only the filters for MTP2 have
been implemented for this datalink.
I will check if I can implement the possibility to chose the DLT to use
for the conversion to libpcap, but in the meantime, I suggest you to
convert your file with a previous version of wireshark, so you can use a
capture filter in your sniffer.
Regards
Florent
Stephen Donnelly wrote:
On Tue, 2008-03-11 at 01:04 -0700, Guy Harris wrote:
vcarela wrote:
The problem is that if I capture with wireshark a trace from my eth0
connection and I save it as a "Wireshark/tcpdump/...-libpcap" file. Then
when I run the sniffer with this pcap trace the sniffer runs properly.
But if I open a .erf trace from a DAG card with wireshark and I save it
as a "Wireshark/tcpdump/...-libpcap" when I run this trace in the
sniffer no packets are dispatched.
When read an ERF trace, save it with a recent build of Wireshark as a
libpcap-format file, and run a (slightly modified, so it compiles)
version of your program, it prints
Error compilando el filtro 'ip'
without even trying to read the file.
Recent versions of Wireshark save ERF files as libpcap files with a
packet type of DLT_ERF, and the filter compiler in libpcap doesn't
support DLT_ERF.
I wonder if that is the best approach? On the plus side it avoids losing
information such as timestamp precision, but on the downside it is not
widely interoperable.
If the user's purpose in saving to libpcap format is to use the file
with another program then saving to DLT_ERF may not be useful.
When you save a capture in libpcap format Wireshark doesn't prompt you
for which DLT to use? How does it decide which DLT is appropriate?
Stephen