Wireshark-dev: Re: [Wireshark-dev] ATM support in Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 15 Jul 2008 23:59:09 -0700

On Jul 15, 2008, at 11:09 PM, Munish Dayal wrote:

Is there support for capturing and dissecting ATM traffic in Wireshark ?
Particularly for direct ATM traffic, for example ATM -> AAL2/AAL5  -> SSCOP/FP/other protocols.

Yes...

...but, on Linux, you can only do it with a DAG card from Endace.

I saw packet-atm.c, but I think it has support for LANE only (LAN emulation over ATM).

No.  It also handles LLC-multiplexed AAL5 traffic, ILMI traffic, and Q.2931 traffic, for example.

How does the current packet-atm.c work?

It either uses information supplied in the capture file to determine the traffic type, uses the VPI/VCI of the traffic, or uses some heuristics.

What sort of capture file does it require?

Direct ATM traffic can be read from:

text output files from Catapult DCT2000 test equipment:


files from the EyeSDN devices (they don't talk about ATM on their site in any obvious place, but code was contributed to handle ATM in their files, so perhaps they did at one point):


files from IBM's iptrace utility on AIX;

captures from some Tektronix K12 and K15 devices;

SunATM captures, whether in libpcap format (done with tcpdump, Wireshark, etc.) or snoop format (done with snoop);

captures done with Endace cards, whether in libpcap format (done with tcpdump, Wireshark, etc.) or ERF format (done with, I think, some software Endace offers);

Microsoft Network Monitor 2.x ATM captures;

ATM captures from Network General^W^WNetwork Associates^W^WNetwork General Sniffers;

captures from Visual Networks UpTime Select (they're now owned by Fluke; I don't know whether that's still available).


Another question is regarding CLIP (classical IP over ATM). How does Wireshark/dumpcap captures CLIP traffic ?

It captures on a network adapter that implements CLIP.

Does ATM dissector come into picture here ?

No.  Those adapters don't supply raw ATM packets.