Wireshark · Ethereal-dev: RE: [Ethereal-dev] non-ethernet use of ethereal

Ethereal-dev: RE: [Ethereal-dev] non-ethernet use of ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ray Rizzuto" <Ray_Rizzuto@xxxxxxx>

Date: Wed, 15 Sep 2004 09:51:14 -0400

Guy,

Thanks!  That's exactly what I needed.  I'll probably need to prepend
some information to the raw data, such as the direction and interface
number (for a multi-interface capture).

Ray   

-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, September 14, 2004 5:01 PM
To: Ethereal development
Subject: RE: [Ethereal-dev] non-ethernet use of ethereal

Ray Rizzuto said:
> I'd like to use an existing file format, if possible.  I have control 
> of creating the output file from another application.  Do you know 
> where I can get documentation on the libpcap format to see if I can 
> use that to contain non-ethernet data?

Libpcap format *already* supports non-Ethernet data, and has done so for
ages.  Unless you need special out-of-band data, you'd just write the
raw packet data - and if you *do* need special out-of-band data, you
could just prepend it to the raw packet data; that's how SunATM captures
supply the VPI/VCI, direction, and traffic type information.

Probably the easiest way to write out a libpcap file would be to use
libpcap/WinPcap to do it.

The API for opening an output file was somewhat too narrowly conceived -
it takes an open libpcap *input* as an argument, to supply the
link-layer type, etc. - but sufficiently recent versions of libpcap have
a workaround, namely "pcap_open_dead()", which lets you create a "fake"
libpcap input with a specified link-layer type and snapshot length.  You
can then use that as an argument to "pcap_dump_open()".

If this is going to be a private extension to Ethereal - so that you can
use one of the WTAP_ENCAP_USER{N} values - there's a range of private
link-layer type values for libpcap format, DLT_USER{N}, in the range 147
through 162.  You could use one of those as the link-layer type;
Ethereal already knows that it should map DLT_USER{N} to
WTAP_ENCAP_USER{N}.

If this is going to be public, you must ask tcpdump-workers@xxxxxxxxxxx
for a link-layer type value, and use that value.


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

Prev by Date: [Ethereal-dev] Retransmissions
Next by Date: [Ethereal-dev] test (Ignore)
Previous by thread: RE: [Ethereal-dev] non-ethernet use of ethereal
Next by thread: [Ethereal-dev] Gtk-CRITICAL errors with dual display
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$