Wireshark · Ethereal-dev: Re: [Ethereal-dev] updated fakelink dissector + (new) README.fakelink

Ethereal-dev: Re: [Ethereal-dev] updated fakelink dissector + (new) README.fakelink

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Fri, 18 Jul 2003 16:19:21 -0700


On Tuesday, July 8, 2003, at 2:04 PM, Jeff Morriss wrote:

1) What is the fake link layer?
---------------------------------
The fake link layer is a dissector in Ethereal that allows Ethereal toread
a capture file (in PCAP format: fake link has (TODO: will have) its own
DLT_ file format identifier reserved in libpcap) that contains someprotocollayer without any of the lower level protocol parts (headers,trailers) on it.Examples include MTP3 without the MTP2 header or SCCP without MTP3 (orbelow).A (TODO: bad?) non-SS7 example would be TCP without IP (and withoutEthernet).
Why? Because there are some protocols that Ethereal understands mostof butcould not (prior to Fake Link) decode directly because those protocolsdon'trun over a link layer that Ethereal understands. A good example ofthis isSS7: Ethereal understands a good number of the SS7 protocols becausepeoplehave developed dissectors for use with SIGTRAN (SS7 over IP) butEthereal
can not capture directly from SS7 links.

It can't capture directly from ISDN links, either, but it doesunderstand ISDN links, at least at the level of frame plus channelnumber (the D channel is dissected as LAPD; the B channel is dissectedas V.120 or PPP-in-HDLC-like-encapsulation, depending on heuristics).The same applies to SDLC.

It understands those link layers because it can read captures fromother network analyzers that can do that (because they have hardwarepods to do so, as in the case of, for example, a Network AssociatesSniffer(R)).

3) How to write a fake link layer PCAP file?
----------------------------------------------
There are 2 methods that you can use to write out a fake link PCAPcapturefile: by using the Wiretap library (part of Ethereal) or by writingthe fileout directly from your application. It would make sense that libpcapcouldbe used directly (which could be advantageous since it has a BSDlicense) butthe APIs for libpcap do not seem to allow writing protocol packets toa file
directly (it seems geared more towards capture-and-writing).

You could, with more recent versions of libpcap, probably cheat bycalling "pcap_open_dead()" and using the pcap_t * you get back fromthat as the argument to "pcap_dump_open()".

References:
- [Ethereal-dev] updated fakelink dissector + (new) README.fakelink
  - From: Jeff Morriss

Prev by Date: Re: [Ethereal-dev] Can't build on Windows due to Winsock2 errors.
Next by Date: Re: [Ethereal-dev] assert() in DOCSIS plugin causes __eprintf undefined symbol
Previous by thread: Re: [Ethereal-dev] updated fakelink dissector + (new) README.fakelink
Next by thread: [Ethereal-dev] MTP3 error in retrieving SLS
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$