Wireshark-users: Re: [Wireshark-users] 802.15.4 Decode

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 23 Sep 2008 17:45:28 -0700

On Sep 23, 2008, at 5:00 PM, Colin O'Flynn wrote:

It's my understanding Wireshark has 802.15.4 support in it since version
1.0.0. However I'm trying to understand how to enable this...

"Support" for a given protocol doesn't necessarily mean "you can encapsulate it in anything"; in the case of 802.15.4, the support was put in for the benefit of people who were directly capturing 802.15.4 packets and writing 802.15.4 packets to a file with no encapsulation.

My hardware shows up as an ethernet interface, so I've routed the raw 802.15.4
packets as data encapsulated by an ethernet header.

What hardware is that? And, when you say "routed", to what are you referring?

I.e., what's the full hardware and software data path from the hardware up to either libpcap/WinPcap or whatever other software is either feeding packets to Wireshark (over a pipe?) or writing packets to a file for Wireshark to read later? If that data path can be made to just pass raw 802.15.4 packets, with no encapsulation, and with a DLT_ value of DLT_IEEE802_15_4 (195), it might be possible to have Wireshark read those packets without any change.

If I right-click on these received packets and select "decode as", I don't see the "wpan" option. Which is kinda what I was hoping would happen, as that
roughly ends my knowledge of wireshark!

"Decode as" doesn't implement a full NxM matrix where arbitrary dissector A can be plugged into arbitrary packet type value B, so that won't work.