Wireshark-dev: Re: [Wireshark-dev] Feeding the 802.15.4 Dissector

From: Rui Pedro Caldeira <rpcaldeira@xxxxxxxxxxx>
Date: Wed, 31 Jul 2013 10:46:35 +0100
Hey Tomasz, thanks for the anwser. But my main question is how to write the bytes into the pipe so that Wireshark recognizes them as IEEE 802.15.4 packets, kinda like a structure that Wireshark is waiting for. I cannot just write the packet into the pipe, Wireshark gives me an error :S

Thanks again

Cumprimentos,
Rui Pedro Caldeira


On Wed, Jul 31, 2013 at 6:35 AM, Tomasz Moń <desowin@xxxxxxxxx> wrote:
On Tue, Jul 30, 2013 at 3:49 PM, Rui Pedro Caldeira
<rpcaldeira@xxxxxxxxxxx> wrote:
> Hello, I'm using Wireshark to read from a pipe and i'm using the native IEEE
> 802.15.4 dissector, but I'm having trouble feeding Wireshark the proper
> bytes. I've tried to search but I can't find the right sequence of bytes the
> dissector is waiting for.
>
> Can anyone help me? Thanks in advance.

Not sure if that's exactly what you are asking for, but:

802.15.4 dissector does following in proto_reg_handoff_ieee802154:

    dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4,
ieee802154_handle);
    dissector_add_uint("wtap_encap",
WTAP_ENCAP_IEEE802_15_4_NONASK_PHY, ieee802154_nonask_phy_handle);
    dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4_NOFCS,
ieee802154_nofcs_handle);
    dissector_add_uint("sll.ltype", LINUX_SLL_P_IEEE802154, ieee802154_handle);

If you look into wiretap/pcap-common.c you will find that following
linktypes are assigned for the WTAP_ENCAP_ defines:

    /* IEEE 802.15.4 Wireless PAN */
    { 195, WTAP_ENCAP_IEEE802_15_4 },
    ...
    /* IEEE 802.15.4 Wireless PAN non-ASK PHY */
    { 215, WTAP_ENCAP_IEEE802_15_4_NONASK_PHY },
    ...
    /* IEEE 802.15.4 Wireless PAN no fcs */
    { 230, WTAP_ENCAP_IEEE802_15_4_NOFCS },

Now, get over to the tcpdump linktypes [1] and check the descriptions
for 195, 215, 230. Choose the one that is closest match to your data
and then set that number as linktype in pcap header.

[1] http://www.tcpdump.org/linktypes.html
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe