Wireshark-dev: Re: [Wireshark-dev] Application-layer capture files

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 23 Sep 2010 09:11:05 +0200
On 09/23/2010 12:00 AM, Hadriel Kaplan wrote:
Howdy,
For a few years my company's provided a free offline-tool to convert from an internal SIP message capture format of SIP messages received by our system parsers, to pcap format.  This tool does the classic trick of creating fake Ethernet+IP+UDP headers and formatting the thing as a pcap.  It made sense to do this, because it lets us capture the real IP:port info in the fake IP/UDP headers, so that wireshark displays them and the user can sort/filter based on ip and do conversation analysis, etc.  We don't want to do real raw packet captures as they're received off-the-wire, because SIP could run over TLS or IPsec and would only show encrypted data.

This all worked fine when everything was SIP over UDP over IPv4.  But SIP over TCP exists as well, and even over IPv6.  Over TCP in particular, when "capturing" at the application layer you don't have access to sequence numbers and such, and recording them as UDP packets is really misleading (and screws up).  Furthermore, we'd like to change our systems to be able to create a file format and encap type wireshark will (someday) understand natively.

I could write a patch for wireshark to handle a new WTAP_ENCAP_RAW_SIP_SOCKET or some such, with a small header that records the ip:port:transport info we do have at the app layer, and dissector that handles that before calling SIP's dissector.  But it occurs to me we can't be the first ones with this problem - things like HTTP and other application layer parsers/apps must want the ability to "capture" into a file like pcap at their layer too, so is there some existing solution (encap format, file format, dissector, whatever) that I'm overlooking?  I've tried to check the source code of every one that looks like it might do it, but I can't find one.

-hadriel


Hi,

I understand what you're doing in this matter (I do a similar thing in our software), still I doubt it's a good idea to strip out the underlying network layer information. That information is needed in Wireshark to get a grasp of the nodes involved, conversations between endpoints, etc. All kinds of analysis functions are based on that. Making it a pure application level dissection strips away what makes Wireshark Wireshark, a *network* traffic analyzer, not an application log viewer.

I'm not sure why UDP encapsulation won't work for you in this case. You most likely tap your SIP messages between the SIP engine and the protocol stack. There you have complete SIP messages, ideal for putting in UDP encapsulated payloads. Otherwise a fake TCP engine could help you out in writing the capture files, to keep the stream concept going, although it's not the real network traffic.

Thanks,
Jaap