Wireshark-dev: Re: [Wireshark-dev] catapult_pcap

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Mon, 23 Mar 2009 16:36:37 +0000


On Mon, Mar 23, 2009 at 4:08 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Mar 23, 2009, at 8:33 AM, SOLTANI FATEN wrote:

> As you know, Wireshark is able to read a catapult format (DCT2000),
> I want to know HOW? By conversion from DCT200 format to pcap format,
> or there is some modification which were made in Wireshark library
> to make it able to read this format?

There are modifications in one of the Wireshark libraries (there's
more than one of them).  The Wiretap library, which reads capture
files, includes modules to support many capture files, including pcap
format, classic DOS Sniffer format, NetXRay/Windows Sniffer format,
Microsoft Network Monitor format - and Catapult DCT2000 format.

_

Also note that its not generally possible to convert DCT2000 format files to pcap format.
- there is often not a corresponding pcap encapsulation for DCT2000 protocols
- DCT2000 files can include an arbitrary mixture of protocols, whereas pcap files (always?) have a single encapsulation type.  I can't remember exactly what the restriction here is...

There is still some information in the file format that can't easily be imported into Wireshark (e.g. error messages), and looking at your sample, you would also need to skip lines that don't correspond to frames that have a timestamp and frame data that can be fed info a wireshark dissector.

Martin

 
__________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe