Wireshark-dev: Re: [Wireshark-dev] Custom link layer type for logging additional data
From: Michal Labedzki <michal.labedzki@xxxxxxxxx>
Date: Thu, 27 Nov 2014 08:43:32 +0100
How about use "LINKTYPE/DLT WIRESHARK_UPPER_PDU"? With this one (+extcap) "wiretap" is complete replacement of libpcap ("Wiretap is a library that is being developed as a future replacement for libpcap" - wiretap/README). On 27 November 2014 at 08:34, Anil <anilkumar911@xxxxxxxxx> wrote: > Guy, > > Thanks for your reply. I will follow the procedure when I have to checkin > the code (I have not done that as of now). > > My question is more about, 'is it right to use another link type to log > additional information about the packet ?' . The additional information is > not 'really' another link layer header. > > -anil > > On Thu, Nov 27, 2014 at 12:51 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote: >> >> >> On Nov 26, 2014, at 8:18 PM, Anil <anilkumar911@xxxxxxxxx> wrote: >> >> > Hi, >> > >> > During packet capture, I want to log additional data other than what's >> > in the ethernet packet and the per packet pcap header. So, I have created a >> > custom header and am logging additional information into this. >> > >> > I have modified pcap_to_wtap_map[] to add another mapping to add >> > another link type. >> >> And you registered the LINKTYPE_ value that you're using as an index into >> that array with tcpdump-workers@xxxxxxxxxxxxxxxxx, right? As the comment >> before that array says: >> >> /* >> * Map link-layer header types (LINKTYPE_ values) to Wiretap >> encapsulations. >> * >> * Either LBL NRG wasn't an adequate central registry (e.g., because of >> * the slow rate of releases from them), or nobody bothered using them >> * as a central registry, as many different groups have patched libpcap >> * (and BPF, on the BSDs) to add new encapsulation types, and have ended >> * up using the same DLT_ values for different encapsulation types. >> * >> * The Tcpdump Group now maintains the list of link-layer header types; >> * they introduced a separate namespace of LINKTYPE_ values for the >> * values to be used in capture files, and have libpcap map between >> * those values in capture file headers and the DLT_ values that the >> * pcap_datalink() and pcap_open_dead() APIs use. See >> * http://www.tcpdump.org/linktypes.html for a list of LINKTYPE_ values. >> * >> * In most cases, the corresponding LINKTYPE_ and DLT_ values are the >> * same. In the cases where the same link-layer header type was given >> * different values in different OSes, a new LINKTYPE_ value was defined, >> * different from all of the existing DLT_ values. >> * >> * This table maps LINKTYPE_ values to the corresponding Wiretap >> * encapsulation. For cases where multiple DLT_ values were in use, >> * it also checks what <pcap.h> defineds to determine how to interpret >> * them, so that if a file was written by a version of libpcap prior >> * to the introduction of the LINKTYPE_ values, and has a DLT_ value >> * from the OS on which it was written rather than a LINKTYPE_ value >> * as its linktype value in the file header, we map the numerical >> * DLT_ value, as interpreted by the libpcap with which we're building >> * Wireshark/Wiretap interprets them (which, if it doesn't support >> * them at all, means we don't support them either - any capture files >> * using them are foreign, and we don't hazard a guess as to which >> * platform they came from; we could, I guess, choose the most likely >> * platform), to the corresponding Wiretap encapsulation. >> * >> * Note: if you need a new encapsulation type for libpcap files, do >> * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT* >> * add a new encapsulation type by changing an existing entry; >> * leave the existing entries alone. >> * >> * Instead, send mail to tcpdump-workers@xxxxxxxxxxxxxxxxx, asking for >> * a new LINKTYPE_/DLT_ value, and specifying the purpose of the new >> * value. When you get the new LINKTYPE_/DLT_ value, use that numerical >> * value in the "linktype_value" field of "pcap_to_wtap_map[]". >> */ >> >> If you do not request a value from tcpdum-workers@xxxxxxxxxxxxxxxxx, but >> instead choose your own value, none of your changes to Wireshark adding that >> value will ever be accepted. You ***MUST*** first get an official value. >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> >> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe -- Pozdrawiam / Best regards ------------------------------------------------------------------------------------------------------------- Michał Łabędzki, Software Engineer Tieto Corporation Product Development Services http://www.tieto.com / http://www.tieto.pl --- ASCII: Michal Labedzki location: Swobodna 1 Street, 50-088 Wrocław, Poland room: 5.01 (desk next to 5.08) --- Please note: The information contained in this message may be legally privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorised use, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank You. --- Please consider the environment before printing this e-mail. --- Tieto Poland spółka z ograniczoną odpowiedzialnością z siedzibą w Szczecinie, ul. Malczewskiego 26. Zarejestrowana w Sądzie Rejonowym Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000124858. NIP: 8542085557. REGON: 812023656. Kapitał zakładowy: 4 271500 PLN
- Follow-Ups:
- References:
- Prev by Date: Re: [Wireshark-dev] Custom link layer type for logging additional data
- Next by Date: Re: [Wireshark-dev] Custom link layer type for logging additional data
- Previous by thread: Re: [Wireshark-dev] Custom link layer type for logging additional data
- Next by thread: Re: [Wireshark-dev] Custom link layer type for logging additional data
- Index(es):