Wireshark-dev: Re: [Wireshark-dev] N in 1 packets

From: Akos Vandra <axos88@xxxxxxxxx>
Date: Sat, 10 Dec 2011 15:17:41 +0100
Thank you for your answers. Maybe I'll solve this by doing some of the
packet handling (extracting the inner packets) from libpcap, and doing
the real dissection in wireshark. Maybe that won't be too much of a
hack.

However I have another question that arose: Is there a way to
configure the capture interface from wireshark? My data comes in
through a serial port, and I have to set the baud rate for it. I can
default to a baud rate of course, but it would be best if there was an
option to set it when starting the capture. I remember that I could
set some parameters in older versions of wireshark, but can't seem to
find the option now.

Thank you for pointing out README.developer to me, I started reading
it, but it's quite long, and it will take some time :)

Regards,
  Ákos Vandra

On 10 December 2011 14:11, Sake Blok <sake@xxxxxxxxxx> wrote:
> On 10 dec 2011, at 00:11, Akos Vandra wrote:
>
>> The target want to send these packet, in timely order:
>>
>> Exception 15 occured - 5 bytes
>> Exception 3 occured - 5 bytes
>> Memory address written - 6 bytes
>> Exception 3 handling done - 5 bytes
>> Exception 15 handling done - 5 bytes
>> All exceptions handled, returning to user application - 3 bytes.
>>
>> On the wire I can see two 16-byte frames. The first one contains the
>> first 3 "interesting" packets, the second one the last 3.
>>
>> My question is this:
>>
>> Should the pcap code doing the packet capturing present the incoming
>> datastream as two 16-byte frames, or split the dissection of the
>> packets, and the libpcap code - upon receipt of a 16-byte frame -
>> dissect the frame, and present the 3 packets as different packets to
>> wireshark?
>
> The task of libpcap is to capture frames and hand each frame to wireshark, no dissection is done by libpcap, that is wiresharks job.
>>
>> Is it possible for a wireshark dissector to say "hey, this packet
>> isn't really a packet, actually there are 3 packets here"!
>
> Yes, this is how wireshark works if you implement your dissector to do that. Many dissectors work like that. For example, visit an https site and capture the traffic. You will most probably see multiple SSL records and/or multiple HandShake messages in one frame (sometimes after reassembly if a PDU was split across two or more packets).
>
>> For this project to be useful I need to present the packets in the
>> wireshark window as seen above. Seeing 2 packets, and then seeing the
>> inner packets in the subtree is not a good idea.
>
> You're out of luck here with the combination libpcap / wireshark. You will need to make substantial changes to either one of them to make that possible.
>
>> Also, sometimes these
>> "sub-packets" are not within a single 16-byte frame, sometimes they
>> are split, if the remaining space in the 16-byte frame is too small
>> for the packet to fit.
>
> This is possible, as can be seen in the SSL example I mentioned earlier. There are two ways of doing this in wireshark. More details on reassembly can be found in README.developer (in the source tree).
>
> Cheers,
> Sake
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe