Wireshark-users: Re: [Wireshark-users] Capturing ATM/IMA traffic on Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 2 Jun 2010 20:40:10 -0700
On Jun 2, 2010, at 6:25 PM, Rayne wrote:

> Is it possible to capture ATM/IMA traffic on Wireshark? Say I have an IMA emulator that generates IMA traffic across 4 E1 links, it is possible to connect the emulator to a switch, then to a server and use Wireshark to capture the traffic?

Are you talking about traffic that's actually running over E1 links?

If so, you will need hardware capable of capturing traffic over those links, an operating system that supports that hardware, and a version of libpcap/WinPcap that supports that hardware.

Endace has a DAG card that can capture on E1 links:

	http://www.endace.com/dag-3.7t-packet-capture-card.html

which is, I think, supported on Linux, FreeBSD, and Windows.  The standard versions of libpcap that come with various Linux distributions and FreeBSD don't support it by default, but most if not all of them can be built with DAG support and linked with Endace's DAG library; I think WinPcap has support for them built in.  If they're built as shared libraries, replacing the DAGless standard libraries, Wireshark wouldn't need to be rebuilt.

> And please correct me if I'm wrong, but since the traffic comes from an emulator, can I assume that the traffic is already in the ATM (i.e. 53-byte cells) format, instead of being "encapsulated" in, say, the SDH frame structure?

If they're running over E1 links, would they be using the SDH frame structure?  I thought SDH was for optical links.