Wireshark-dev: Re: [Wireshark-dev] Wireshark Profiles and Configurations

From: Fred Marshall <fred@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Apr 2010 15:46:07 -0700
Yes.  That helps a lot! And now I know better where to look.
 Thanks!
fred


wireshark-dev-request@xxxxxxxxxxxxx wrote:
Send Wireshark-dev mailing list submissions to
	wireshark-dev@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-dev
or, via email, send a message with subject or body 'help' to
	wireshark-dev-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-dev-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-dev digest..."


Today's Topics:

   1. Profiles and Configurations (Fred Marshall)
   2. Re: Profiles and Configurations (Maynard, Chris)
   3. time question (Brian Oleksa)
   4. USB URB hex bytes not shown (Maynard, Chris)
   5. Re: USB URB hex bytes not shown (Guy Harris)
   6. Re: time question (Anders Broman)
   7. Re: USB URB hex bytes not shown (Maynard, Chris)


----------------------------------------------------------------------

Message: 1
Date: Wed, 07 Apr 2010 18:00:17 -0700
From: Fred Marshall <fmarshall@xxxxxxx>
Subject: [Wireshark-dev] Profiles and Configurations
To: wireshark-dev@xxxxxxxxxxxxx
Message-ID: <4BBD2AA1.7060106@xxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I'm posting here because it was suggested prior to adding to the wish list.

I'm using multiple interfaces simultaneously and it would be really good 
if I could use a profile or configuration that was predefined and named. 
Now, this capability seems to be there already but I'll be darned if I 
can figure out how to use it reliably.
There appear to be no instructions in this regard.

Is this a reasonable thing to add to the wish list?

Thanks,

fred



------------------------------

Message: 2
Date: Thu, 8 Apr 2010 10:26:49 -0400
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Subject: Re: [Wireshark-dev] Profiles and Configurations
To: 'Developer support list for Wireshark'
	<wireshark-dev@xxxxxxxxxxxxx>
Message-ID:
	<FEA7253CE01175418CE6A9BE162A9155014773A5@xxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Does this help?
http://www.wireshark.org/docs/wsug_html_chunked/ChCustConfigProfilesSection.html
- Chris

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Fred Marshall
Sent: Wednesday, April 07, 2010 9:00 PM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Profiles and Configurations

I'm posting here because it was suggested prior to adding to the wish list.

I'm using multiple interfaces simultaneously and it would be really good 
if I could use a profile or configuration that was predefined and named. 
Now, this capability seems to be there already but I'll be darned if I 
can figure out how to use it reliably.
There appear to be no instructions in this regard.

Is this a reasonable thing to add to the wish list?

Thanks,

fred

[snip]
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.



------------------------------

Message: 3
Date: Thu, 08 Apr 2010 10:41:47 -0400
From: Brian Oleksa <oleksab@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [Wireshark-dev] time question
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Message-ID: <4BBDEB2B.80100@xxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed


Wiresharkers

I am trying to dissect the time in a particular packet. Here is it's format:

"The time is the source computer's system time in Greenwich Mean Time 
(GMT)." The size is 32 bits or 4 bytes.

What is the best method to use to dissect this time..?? I tired 
this...but did not have any luck:

                        nstime_t t;
                        guint64 msecs_since_the_epoch;
                        struct tm *tmp;
                        msecs_since_the_epoch = tvb_get_ntoh64(tvb, offset);
                        t.secs = msecs_since_the_epoch / 1000;
                        t.nsecs = (msecs_since_the_epoch % 
1000)*1000000; /* milliseconds to nanoseconds */
                        tmp = gmtime(&t.secs);

                    if (tmp != NULL)
                        {
                        proto_tree_add_time_format(time_sub_tree, 
hf_helen_time, tvb, offset, 4, &t,
                                "Date: %s %2d, %d %02d:%02d:%02d UTC", 
mon_names[tmp->tm_mon], tmp->tm_mday,
                                tmp->tm_year + 1900, tmp->tm_hour, 
tmp->tm_min, tmp->tm_sec);
                        }
                        offset += 4




Also...I am trying to dissect longitude, latitude and altitude. Here is 
it's format. The size is also 32 bits or 4 bytes.

The <latitude>, <longitude>, and <altitude> fields contain values 
corresponding to GPS information for the MGEN source if it was 
available. The <latitude> and <longitude> fields are encoded as follows:

<fieldValue> = (unsigned long)((<actualValue>+180.0)*60000.0)

The <altitude> field is the direct representation of the altitude value 
available from the source's GPS system.

I tried this but had no luck:

            longitude = tvb_get_ntoh64(tvb, offset);
            longitude = (longitude+180)*60000;
            proto_tree_add_uint_format(mgen_sub_tree, hf_helen_length, 
tvb, offset, 4, 0,
                  "Longitude: %f", longitude);
            offset += 4;



Thanks,
Brian








------------------------------

Message: 4
Date: Thu, 8 Apr 2010 14:28:36 -0400
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Subject: [Wireshark-dev] USB URB hex bytes not shown
To: 'Developer support list for Wireshark'
	<wireshark-dev@xxxxxxxxxxxxx>
Message-ID:
	<FEA7253CE01175418CE6A9BE162A9155014773AD@xxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

For DLT_USB_LINUX, is there any good reason why the pcap_usb_header information (from libpcap's pcap/usb.h file) is only displayed in the "packet details" pane, but the hex bytes don't appear in the "packet bytes" pane?  (See attached sample capture file containing a single frame depicting this.)

Using SVN 32429 on Windows XP SP3 (32-bit).
- Chris


CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-dev/attachments/20100408/8cac5b25/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usburbex.pcap
Type: application/octet-stream
Size: 88 bytes
Desc: usburbex.pcap
Url : http://www.wireshark.org/lists/wireshark-dev/attachments/20100408/8cac5b25/attachment.obj 

------------------------------

Message: 5
Date: Thu, 8 Apr 2010 11:34:29 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] USB URB hex bytes not shown
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Message-ID: <07886FFF-BDD9-4DBA-9B75-512126119FAC@xxxxxxxxxxxx>
Content-Type: text/plain; charset=windows-1252


On Apr 8, 2010, at 11:28 AM, Maynard, Chris wrote:

  
For DLT_USB_LINUX, is there any good reason why the pcap_usb_header information (from libpcap?s pcap/usb.h file) is only displayed in the ?packet details? pane, but the hex bytes don?t appear in the ?packet bytes? pane?  (See attached sample capture file containing a single frame depicting this.)
    
The reason is that, for better or worse, that's treated by the Wiretap library code that reads it as a "pseudo-header".

Whether that's a *good* reason is another matter.

Note that the data in question is in the host byte order of the machine on which the capture was done, so if the data were to be fetched from a tvbuff, it would have to be fetched in that byte order.  That information is available (although it gets more complicated with pcap-ng, as the byte order is per-section, *not* per-interface, so, for example, if multiple pcap-ng captures, including one or more USB interfaces, were to be merged, the pcap_usb_header information would have to be put into the appropriate byte order when writing the capture).


------------------------------

Message: 6
Date: Thu, 08 Apr 2010 20:37:18 +0200
From: Anders Broman <a.broman@xxxxxxxxx>
Subject: Re: [Wireshark-dev] time question
To: wireshark-dev@xxxxxxxxxxxxx
Message-ID: <4BBE225E.1070409@xxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Brian Oleksa skrev 2010-04-08 16:41:
  
Wiresharkers

I am trying to dissect the time in a particular packet. Here is it's format:

"The time is the source computer's system time in Greenwich Mean Time
(GMT)." The size is 32 bits or 4 bytes.

What is the best method to use to dissect this time..?? I tired
this...but did not have any luck:

                         nstime_t t;
                         guint64 msecs_since_the_epoch;
                         struct tm *tmp;
                         msecs_since_the_epoch = tvb_get_ntoh64(tvb, offset);
   
    
Well you are fetching 8 bytes not four...
  
                         t.secs = msecs_since_the_epoch / 1000;
                         t.nsecs = (msecs_since_the_epoch %
1000)*1000000; /* milliseconds to nanoseconds */
                         tmp = gmtime(&t.secs);

                     if (tmp != NULL)
                         {
                         proto_tree_add_time_format(time_sub_tree,
hf_helen_time, tvb, offset, 4,&t,
                                 "Date: %s %2d, %d %02d:%02d:%02d UTC",
mon_names[tmp->tm_mon], tmp->tm_mday,
                                 tmp->tm_year + 1900, tmp->tm_hour,
tmp->tm_min, tmp->tm_sec);
                         }
                         offset += 4




Also...I am trying to dissect longitude, latitude and altitude. Here is
it's format. The size is also 32 bits or 4 bytes.

The<latitude>,<longitude>, and<altitude>  fields contain values
corresponding to GPS information for the MGEN source if it was
available. The<latitude>  and<longitude>  fields are encoded as follows:

<fieldValue>  = (unsigned long)((<actualValue>+180.0)*60000.0)

The<altitude>  field is the direct representation of the altitude value
available from the source's GPS system.

I tried this but had no luck:

             longitude = tvb_get_ntoh64(tvb, offset);
   
    
Well you are fetching 8 bytes not four...
  
             longitude = (longitude+180)*60000;
   
    
Assuming the field on the wire is encoded as:

<fieldValue>  = (unsigned long)((<actualValue>+180.0)*60000.0)

shouldn't that be (double)actualValue= (longitude/60000.0)-180
  
             proto_tree_add_uint_format(mgen_sub_tree, hf_helen_length,
tvb, offset, 4, 0,
                   "Longitude: %f", longitude);
             offset += 4;



Thanks,
Brian






___________________________________________________________________________
Sent via:    Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

   
    


------------------------------

Message: 7
Date: Thu, 8 Apr 2010 14:45:49 -0400
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Subject: Re: [Wireshark-dev] USB URB hex bytes not shown
To: 'Developer support list for Wireshark'
	<wireshark-dev@xxxxxxxxxxxxx>
Message-ID:
	<FEA7253CE01175418CE6A9BE162A9155014773AE@xxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Hmm, I'm still confused.  Byte order aside, the "packet details" pane contains information from the "pseudo-header".  For example, in the example capture file I sent, the URB id filed is displayed as:

	URB id: 0xffff810024eaab40

But nowhere in the "packet bytes" pane do those bytes appear.

Contrast this with the attached example of a Linux cooked capture where the cooked pseudo header is present and the hex bytes are also shown.  Selecting each of the fields within the cooked header highlights the corresponding bytes in the "packet bytes" pane.  I guess I would expect the same behavior for DLT_USB_LINUX as we get for DLT_LINUX_SLL.

- Chris


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Thursday, April 08, 2010 2:34 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] USB URB hex bytes not shown


On Apr 8, 2010, at 11:28 AM, Maynard, Chris wrote:

  
For DLT_USB_LINUX, is there any good reason why the pcap_usb_header information (from libpcap's pcap/usb.h file) is only displayed in the "packet details" pane, but the hex bytes don't appear in the "packet bytes" pane?  (See attached sample capture file containing a single frame depicting this.)
    
The reason is that, for better or worse, that's treated by the Wiretap library code that reads it as a "pseudo-header".

Whether that's a *good* reason is another matter.

Note that the data in question is in the host byte order of the machine on which the capture was done, so if the data were to be fetched from a tvbuff, it would have to be fetched in that byte order.  That information is available (although it gets more complicated with pcap-ng, as the byte order is per-section, *not* per-interface, so, for example, if multiple pcap-ng captures, including one or more USB interfaces, were to be merged, the pcap_usb_header information would have to be put into the appropriate byte order when writing the capture).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cookedex.pcap
Type: application/octet-stream
Size: 108 bytes
Desc: cookedex.pcap
Url : http://www.wireshark.org/lists/wireshark-dev/attachments/20100408/b916d99f/attachment.obj 

------------------------------

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev


End of Wireshark-dev Digest, Vol 47, Issue 11
*********************************************