Wireshark-dev: Re: [Wireshark-dev] Direction definition on packet bus with no direction info in

From: Martin Kaiser <lists@xxxxxxxxx>
Date: Sun, 28 Oct 2012 19:22:54 +0100
Hi,

Thus wrote Andrew Lonsdale (calonsdale1@xxxxxxxxx):

> I'm writing a dissector for an interface which doesn't indicate direction
> of data flow in the packet headers. I currently capture separate files in
> pcapng format for uplink and downlink (separate streams), but I could merge
> the two into a file. Currently I just open one file and merge the other in
> Wireshark itself.

> It would be useful to be able to indicate in the PROTOCOL column if a
> packet is an uplink or downlink packet, and I have four possible methods in
> mind:

> 1) Have two different DLT's, one for uplink and one for downink, and
> effectively treat the two as separate interfaces. This is probably easiest
> but seems heavy handed.

> 2) I have been looking into setting the epb_flags option in the EHB blocks
> to indicate uplink and downlink, but I can't find out how to access that
> field of data in my dissector.

> 3) Add an opt_comment with known text ("UP" or "DN") and parse for that
> text during dissection. Easy to implement but a bit clunky.

> 4) Fiddle with a reserved bit in the packet header. This feels like a bad
> thing to do as it alters the item under test.

> Method 2 feels like it would be the right thing to do, and 3 looks like the
> easiest.

> Is there a preferred way of dealing with this issue, and does anyone have
> any observations about what I am trying to do ?

it sounds like your setup is quite similar to DVB-CI (packet-dvbci.c).
DVB-CI sends a stream of bytes without direction information but the
capturing tool is aware of the direction.

The solution we came up with is to have one DLT. The pcap packet data
consists of a pseudo-header and the actual bytes that are transfered.
The dissector picks up the direction from the pseudo-header.
The capturing tool has to create the pseudo header for every packet it
captures.

Would something like this work for you as well?

   Martin