Wireshark-users: Re: [Wireshark-users] Support for WAN / HDLC

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 18 Dec 2006 10:19:57 -0800
Hubert.Miecznikowski@xxxxxxxxx wrote:

You mentioned that dissector for LAPB & FrameRelay already exist. I do not
see those in my version of WireShark (I am running it under WindowsXP).

"Do not see" in what sense?

Do I have to download any additional software ?

No.  See epan/dissectors/packet-lapb.c and epan/dissectors/packet-fr.c.

Now if I were to do a similar test on our HDLC ports configured for X.25 or
FrameRelay, what information would  I have to put the file header to tell
WireSharek that this is X.25 or FrameRelay capture ?
I would assume that the answer has to do with the "network" field of the
"pcap_hdr_t" structure, but ... what do I have to populate it with ? Can it
be done at all ?

For Frame Relay, yes; the value is 107.

For LAPB, currently, no. You'd have to ask tcpdump-workers@xxxxxxxxxxx for a value. Note that you should indicate whether the packets in that format start with the address field in the LAPB header or whether they also include a field giving an indication of whether the packet was received or sent (unfortunately, libpcap format doesn't have a direction field in the per-packet header).

Another issue has to do with the requirement to capture traffic from
multiple cards/ports (each data comm card in a chassis has 8 ports) to a
single "capture entity". One of the cards in the chassis is a "system
management card", it runs Linux (this is where WireShark would run). We are
thinking/considering making changes to the libpcap library on this card, to
"expose" all the data comm port on the other cards as "local interfaces" to
WireShark, this way be able to capture traffic from multiple ports at the
same time.

Would that be a single stream of packets (i.e., a single pcap_t opened by pcap_open_live())? If so, you'd also want to add a port number in front of the LAPB header, along with possibly adding a direction flag.

If the different cards have different link-layer types, it gets more complicated, in that you'd have to put the link-layer type of each packet in the per-packet header - or adopt pcap-NG format:

	http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

for which support would have to be added in Wiretap (which would involve Wiretap API changes).

In the process part of the libpcap library would have to be
ported to the data comm cards to support run-time filtering ... etc.

E.g., adding the BPF interpreter? The implementation in libpcap is BSD-licensed; Linux includes a GPLed implementation.