Wireshark · Wireshark-dev: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers

Wireshark-dev: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard l

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Fri, 19 Sep 2008 01:05:39 -0700


On Sep 18, 2008, at 10:10 PM, Gaurav1 Jain wrote:

Gaurav: yes latter one is the case. If I try to capture theinterface using
Capture à Options à Link Header Type is displayed as Linux CookedMode Capture.

Presumably by "capture the interface" you mean capturing on the Linuxnetwork interface.

If so, that means the Sangoma driver is returning either an unknownARPHRD_ type or one of ARPHRD_ATM or ARPHRD_PPP as its ARPHRD_ type.

When traces are displayed protocol decoded is found to be IP.

It's capturing in cooked mode, with a PF_SOCKET/SOCK_DGRAM socket, sothat the link-layer header is stripped off, and a "cooked" link-layertype supplied (IPv4, if the protocol is IP).

Otherwise when PCAP file is first captured using WanDriver commands(available with WanPipe)


...which means the capture isn't going through libpcap.

and then open using wireshark TZSP is the protocol being displayedon GUI.

...which means that the WanDriver software is writing a pcap-formatfile with a link-layer type of DLT_TZSP.

The only link-layer types supported in DLT_TZSP in Wireshark areEthernet and various forms of 802.11, so presumably it's providing afake Ethernet header.

So what does it mean when it "provides [an] IP interface"?  Does that
mean that the card supplies IP packets, with link-layer headers
stripped off,


Gaurav: yes this is the case.

If that's the case, then you won't ever be able to see the HDLC orproprietary link-layer headers, as the card doesn't give them to thehost, so they're irrelevant.

There is no "ICMP/UDP/TCP/SCTP/IP kind of DLT" attached to *any*
traces; those are all protocols running atop the link layer. Thereis
a DLT_RAW link layer used for packets where there *is* no link-layer
header.
Gaurav: I checked man page of pcap and it says DLT_RAW means packetbegins with IP header.

Yes, that's what "There is a DLT_RAW link layer used for packets wherethere *is* no link-layer

header" means.

Gaurav: We are using HDLC protocol while configuring WANPIPE,
So it should be LIP Protocol stack line where card is gettingconnected and accordingly ARPHRD_ type should be ARPHRD_HDLC.

Only if the card is supplying HDLC headers to the host, which you saidwasn't the case.

Follow-Ups:
- Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Gaurav1 Jain
- Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Gaurav1 Jain

References:
- [Wireshark-dev] New protocol dissectors developments in Wireshark
  - From: Gaurav1 Jain
- Re: [Wireshark-dev] New protocol dissectors developments in Wireshark
  - From: Peter Johansson
- [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Gaurav1 Jain
- Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Guy Harris
- Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Gaurav1 Jain
- Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Guy Harris
- Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
  - From: Gaurav1 Jain

Prev by Date: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
Next by Date: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
Previous by thread: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
Next by thread: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
Index(es):
- Date
- Thread