Malcolm Herbert wrote:
In this case it seems that there's a 1:1 relationship between HDLC frame
and TCP packet,
If, for any protocol running atop TCP, there is a 1:1 relationship
between a TCP segment and a packet for that protocol, it should be
assumed to be the result of pure luck - there is no guarantee that a TCP
implementation will preserve packet boundaries for a protocol running
atop it, so *anything* reading packets out of a TCP data stream, whether
it's a dissector for a network analyzer such as Wireshark *or* if it's
an implementation of the protocol reading from a TCP socket, should not
assume that each chunk of TCP data it gets handed corresponds to one and
only one packet.
actually this seems to be the most feasible - I already have most of the
code to do this bit already. Is there any documentation to tell me what
format Wireshark expects data to be in on stdin?
libpcap format - either use pcap_dump_open() and pcap_dump() in libpcap,
or see
http://wiki.wireshark.org/Development/LibpcapFileFormat