Wireshark-dev: Re: [Wireshark-dev] IPoIB dissector: snoop file vs pcap data

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 Mar 2016 09:21:57 -0700
On Mar 18, 2016, at 9:00 AM, Petr Sumbera <petr.sumbera@xxxxxxxxxx> wrote:

> at this moment Wireshark can read snoop files with IPoIB[1] data:
> 
> https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-ipoib.c
> 
> I'm working on extending it to support also data as they come from PCAP on Solaris (at this moment Solaris generates data with DLT_USER15 which need to be fixed anyway).

It most *definitely* needs to be fixed, just as Apple's use of DLT_USER2 needs to be fixed.

> Unfortunately there is for some unknown reason following difference:
> 
> Snoop contains:
> IPoIB header [4 bytes]
> IP data
> 
> PCAP data contains:
> GRH Header (multicast) or just 20 bytes address (unicast) [40 bytes]
> IPoIB header [4 bytes]
> IP data
> 
> With Wireshark 1.12 I was considering to distinguish between these two data in dissector via pinfo->file_type_subtype. But with Wireshark 2.0 it doesn't seem to be possible any more (file_type_subtype is not available in dissector).
> 
> What would you recommend me here?

Have two separate WTAP_ENCAP_ values, one for IPoIB with the snoop encapsulation and one for IPoIB with the pcap/pcapng encapsulation, if they don't already exist.

Register an "IPoIB with the snoop encapsulation" dissector with the WTAP_ENCAP_ value for the IPoIB with the snoop encapsulation and register an "IPoIB with the pcap/pcapng encapsulation" dissector with the WTAP_ENCAP_ value for the IPoIB with the pcap/pcapng encapsulation.