Wireshark · Ethereal-dev: Re: [ethereal-dev] Alternative devices and Threading of IP/UDP

Ethereal-dev: Re: [ethereal-dev] Alternative devices and Threading of IP/UDP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gilbert Ramirez <gram@xxxxxxxxxx>

Date: Thu, 13 Apr 2000 15:40:11 -0500

On Thu, Apr 13, 2000 at 02:46:13PM -0500, Eric Bresie wrote:
> 
> 
> Hey guys...don't know if this would be the right place to ask about this 
> but
> I figure you can probably help me or point me in the right direction.
> 
> I am working on a project that interacts with a lot of alternative devices
> (proprietary modems,etc) that speak some of the common protocols (IP, TCP,
> UDP,etc) and was wondering how difficult is it to support these devices.
> 
> Is it just as simple as putting /dev/my_modem or /dev/modem for the device
> to capture from?

No. libpcap needs to know what type of data (DLT_ type) comes from these
devices. You'll have to modify libpcap. If the data doesn't come back
as one of Wiretap's encapsulation types (see wiretap/wtap.h), you'll have
to add a new one and handle it in packet.c.

> And along those lines if it is simply a mater of the device/device driver 
> in
> question has to have certain hooks to use the capturing capabilites, what
> kind of hooks are needed?
> 
> Would this be something that I would need to look more to the libpcap 
> and/or
> tcpdump guys?  And along those lines, are there any mailing lists relating
> to these two products?

www.tcpdump.org has the addresses for the tcpdump mailing list, which
treats matters concerning both tcpdump and libpcap. Some of us on ethereal-dev
are also on that mailing list.

> Ethereal uses libpcap which outputs to tcpdump format correct?  Other than
> the common library, it does not rely on tcpdump for anything correct?

The format is "libpcap" format. Tcpdump uses libpcap to read that format. Lots of
people confuse "tcpdump" format with "libpcap" format. But "libpcap" format
is the binary representation of the trace, and "tcpdump" converts that to
a concise ASCII summary.

> Also, I think I mentioned this before, but I figure I would ask again in a
> slightly different direction.
> 
> When we are capturing data, all the packets in question are sent to a dump
> file.  In the dump file the individual information is timestamped by the
> capturing (not the actuall packets).
> 
> I have used a little bit the "Follow the TCP" functionality and was
> wondering if something along those lines is possible with IP and/or UDP.
> 
> How does it indentify the start and end of the TCP stream.  I am guessing
> that is ultimately part of the TCP packet header informatio, correct?

Yep. Look at follow.c

> 
> I am concerned about this because some of the messaging we want to capture
> is UDP/IP based and not TCP/IP based.

We intend to be able to reconstruct fragmented IP datagrams, but we don't have
that functionality yet.

--gilbert

Prev by Date: Re: [ethereal-dev] Alternative devices and Threading of IP/UDP
Next by Date: RE: [ethereal-dev] The first pass versus later display of frames
Previous by thread: Re: [ethereal-dev] Re: adding a protocoll to ethereal
Next by thread: [ethereal-dev] Win32 version of Ethereal 0.8.6 hangs
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$