Wireshark-users: Re: [Wireshark-users] 802.15.4 Decode

From: Colin O'Flynn <coflynn@xxxxxxxxx>
Date: Tue, 23 Sep 2008 21:54:02 -0300
Hi,

Thanks for the quick response!

> What hardware is that?  And, when you say "routed", to what are you
> referring?

Custom hardware so to say. It's for an open-source project running IPv6 over 
802.15.4, which will be fully announced friday. Right now we are using other 
802.15.4 sniffers to debug, but it would be nice to use wireshark.

The actual hardware is a USB device with an Atmel micro and 802.15.4 radio. It 
is programmed to appear as an ethernet interface, so you can pass IP packets 
between the PC and over the air. That works fine, including on Wireshark ;-)

However I also put in a "raw" mode, which gives you the 802.15.4 packets 
without being decoded. I can send them however I want over the interface - 
aka right now I put on 14 bytes that is the ethernet header. There is no need 
for me to do this, I could send just the 802.15.4 data.

>  If that data path can be made
> to just pass raw 802.15.4 packets, with no encapsulation, and with a
> DLT_ value of DLT_IEEE802_15_4 (195), it might be possible to have
> Wireshark read those packets without any change.

As above - yes I can send raw packets. The physical "interface" is ethernet 
though, but it would have no ethernet header. 

Would that work, and where do I find more information about the DLT value? 
Just googling "DLT_" isn't as useful, lots of other acronyms seem to have 
this ;-) And most importantly how do I get that set...

Regards,

  -Colin

On Tuesday 23 September 2008 09:45:28 pm Guy Harris wrote:
> On Sep 23, 2008, at 5:00 PM, Colin O'Flynn wrote:
> > It's my understanding Wireshark has 802.15.4 support in it since
> > version
> > 1.0.0. However I'm trying to understand how to enable this...
>
> "Support" for a given protocol doesn't necessarily mean "you can
> encapsulate it in anything"; in the case of 802.15.4, the support was
> put in for the benefit of people who were directly capturing 802.15.4
> packets and writing 802.15.4 packets to a file with no encapsulation.
>
> > My hardware shows up as an ethernet interface, so I've routed the
> > raw 802.15.4
> > packets as data encapsulated by an ethernet header.
>
> What hardware is that?  And, when you say "routed", to what are you
> referring?
>
> I.e., what's the full hardware and software data path from the
> hardware up to either libpcap/WinPcap or whatever other software is
> either feeding packets to Wireshark (over a pipe?) or writing packets
> to a file for Wireshark to read later?  If that data path can be made
> to just pass raw 802.15.4 packets, with no encapsulation, and with a
> DLT_ value of DLT_IEEE802_15_4 (195), it might be possible to have
> Wireshark read those packets without any change.
>
> > If I right-click on these received packets and select "decode as", I
> > don't see
> > the "wpan" option. Which is kinda what I was hoping would happen, as
> > that
> > roughly ends my knowledge of wireshark!
>
> "Decode as" doesn't implement a full NxM matrix where arbitrary
> dissector A can be plugged into arbitrary packet type value B, so that
> won't work.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users