Wireshark-dev: Re: [Wireshark-dev] Defining a DLT which could be used to dissect any protocol.

From: Anders Broman <a.broman@xxxxxxxxxxxx>
Date: Tue, 07 Feb 2012 20:11:12 +0100
Guy Harris skrev 2012-02-07 19:38:
On Feb 7, 2012, at 6:33 AM, Anders Broman wrote:

How about defining a DLT with a TLV based header which could be used to carry any protocol - a tag would contain the name of the protocol to be called the name would of course have to correspond
To the name the dissector has registered in Wireshark - yes this is a weakness an alternative would be to give every protocol a number but that means keeping a registry list.
Tags could be defined to carry any extra info needed.
What is the purpose of this?

I *REALLY* don't like "generic" link-layer type values that don't cover a specific protocol.  If people want multiple different link-layer header types in the same file, that's what pcap-NG is for.

Note also that there isn't a one-to-one correspondence between protocol names and dissector names - for example, we have multiple dissectors for Ethernet, depending on whether:

	we know that the packet includes an FCS;

	we know that the packet doesn't include an FCS;

	we don't know whether it includes an FCS or not.
The use case I was thinking of is equipment giving off log files containing "upper" layer protocols stripping off the transport layer, writing such a log in pacp(ng) format makes it possible to use Wiresharks filtering and dissection capabilities and share the file between vendor and supplier without distributing any tools to view the file with. If something like this works better in pcapng that's fine but can you specify "next" protocol there or is a DLT still needed?

I was imagining a tailor made file for Wireshark so the tool writing the file would have to use the "right" name.

An example would be an eNodeB writing out S1AP ,LTE-RRC X2AP and(?) into the same file or a MGC writing SIP, H323, H248, ISUP with or without MTP3 to the same file. Stripping of the transport layer and reassemble the payload before writing to file also has it's advantages. the address tag can be used to set appropriate addresses.

A text tag could be used for additional information.

One advantage is that every protocol does not need its own DLT.
Best regards
Anders

Regards
Anders

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe