Wireshark · Ethereal-dev: Re: Re: [Ethereal-dev] Trying to add new format file

Ethereal-dev: Re: Re: [Ethereal-dev] Trying to add new format file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gilbert Ramirez <gilbertr@xxxxxxxxx>

Date: Thu, 18 Nov 2004 10:19:08 -0600

The encapsulation type tells Ethereal what the first protocol in the
packet is. Is it Ethernet? Is it token-ring? Is it Bluetooth? That's
how you decide.

--gilbert


On 18 Nov 2004 15:18:54 -0000, harsha ss <harsha.ss@xxxxxxxxxxxxxx> wrote:
> 
> 
>    
>  Thanks for your reply
>  I went through the steps suggested by you,
>  i have the following problems
>  
>  1. How to choose the proper encapsulation type to the
>    file we are using, any hints?
>  2. In wiretap directory new routines are written in a new_file 
>    and that new_file.c and new_file.h are added to the list just
>    after the  radcom.h and radcom.c file.
>  3. I got much information to write the routines from radcom.c.
>    The Makefile generated from Makefile.common will include
>    the new_file.c and new_file.h but The files added does not 
>    produce .lo and .o files please tell me the reason.
>  4. I can see the difference even they not produce the .lo and .o files.
>  
>  Please give the further suggestion to proceed.
>    Thanks in advance
>        harsha
>  On Wed, 17 Nov 2004 Miklos Szurdi wrote :
> 
> 
>  >i will try to summarize this thing for you
>  >a small how to on this as it may be interesting for others to
>  >
>  >there is a readme on this in the wiretap library (README.developer)
>  >as it says it is very short and very dirty....but very useful!!!!!!
>  >you have to write to files:
>  >
>  >your_dumpfile.h
>  >
>  >this has to look like exactly radcom.h for example
>  >
>  >your_dumpfile.c
>  >
>  >this has to look like very similar to radcom.c for example
>  >
>  >(these radcom files with little c coding knowledge are easy to interpret)
>  >
>  >
>  >you need to write in to three existing files (in wiretap):
>  >/****************************************/
>  >In file_access.c ,add your header file to this list:
>  >
>  >#include "wtap-int.h"
>  >...
>  >#include "network_instruments.h"
>  >#include "your_dumpfile.h" /*this is your header file*/
>  >
>  >and to this:
>  >
>  >static int (*const open_routines[])(wtap *, int *, char **) = {
>  >  /* Files that have magic bytes in fixed locations. These
>  >  * are easy to identify.
>  >  */
>  >  libpcap_open,
>  >  ...
>  >  airopeek9_open,
>  >  your_dumpfile_open, /*if your dump file uses some magic number, if not
> than you still have to put in the same array but somewhere else...it is
> evident from file_access.c */
>  >}
>  >
>  >  dump_open_table[WTAP_NUM_FILE_TYPES] = {
>  >  /* WTAP_FILE_UNKNOWN */
>  >  { NULL, NULL,
>  >    NULL, NULL },
>  >  ....
>  >  /* WTAP_FILE_YOUR_DUMPFILE */
>  >  { NULL, NULL,
>  >    NULL, NULL },
>  >
>  >}
>  >/********************************/
>  >wiretap.h
>  >what you should make with this file is in the readme
>  >....
>  >#define WTAP_FILE_EYESDN  39
>  >#define WTAP_FILE_YOUR_DUMPFILE    40
>  >/* last WTAP_FILE_ value + 1 */
>  >#define WTAP_NUM_FILE_TYPES  41 /*dont forget to add one to this...*/
>  >....
>  >/*********************************/
>  >Makefile.common
>  >find where is radcom.c and radcom.h and add yours to the same place...very
> obvious
>  >on Linux you may have to run automake , autoconfig, and aclocal or
> something...i cant remember this part:(
>  >
>  >"tricks" (no tricks just timesaving small things) not in
> wiretap/README.developer
>  >
>  >in the your_dumpfile_open function:
>  >
>  >  wth->file_type = WTAP_FILE_YOURDUMP_FILE;
>  >  wth->file_encap = WTAP_ENCAP_SOMETHING; /*that should be something that
> is the basic protocol that your dump file has...not the dump file's own
> format...the possibilities are in the wtap.h file*/
>  >  wth->subtype_read = tektronix_read;
>  >  wth->subtype_seek_read = tektronix_seek_read;
>  >  wth->phdr.pkt_encap = wth->file_encap; /*this should be set to
> this...donno why*/
>  >  wth->snapshot_length = 0;
>  >
>  >in function your_dumpfile_read(....long *data_offset...)
>  >
>  >this value has to be set for the seek_read function to find the packet...
>  >
>  >that is it for me....
>  >
>  >radcom.c was a very easy to follow example for me...so i hope it will be
> for you
>  >Gilbert Ramirez <gilbertr@xxxxxxxxx> wrote:
>  >LIke I've said before, if the file you're reading is an hex-dump text
>  >file, then your easiest option is to try to convert it to a pcap file
>  >using text2pcap, a program that comes with ethereal. text2pcap has a
>  >lot of options, but if the hexdump format cannot be read by text2pcap,
>  >another option is to write a small program to convert your hexdump
>  >format to a format that *is* readable by text2pcap. I did this for a
>  >netscreen hexdump file... see tools/netscreen2dump.py in the ethereal
>  >SVN repository ( I don't think it's in 0.10.7)
>  >
>  >--gilbert
>  >
>  >
>  >On 17 Nov 2004 13:52:31 -0000, harsha ss wrote:
>  > >
>  > >
>  > >
>  > > Hi all,
>  > > I am using the ethereal 0.10.7 version on linux machine.
>  > > I want the ethereal to read the file of different format with a mix of
>  > > the ascii and hex message.Ethereal gives unknown format to read such
> files.
>  > > Please any one give suggetion to read such files and display the file
>  > > contents in the ethereal window.
>  > >
>  > > regards
>  > > Harsha
>  > >
>  > >
>  > > _______________________________________________
>  > > Ethereal-dev mailing list
>  > > Ethereal-dev@xxxxxxxxxxxx
>  > > http://www.ethereal.com/mailman/listinfo/ethereal-dev
>  > >
>  > >
>  > >
>  >
>  >_______________________________________________
>  >Ethereal-dev mailing list
>  >Ethereal-dev@xxxxxxxxxxxx
>  >http://www.ethereal.com/mailman/listinfo/ethereal-dev
>  >
>  >
>  >---------------------------------
>  >Do you Yahoo!?
>  >  Discover all that's new in My Yahoo!
>  >_______________________________________________
>  >Ethereal-dev mailing list
>  >Ethereal-dev@xxxxxxxxxxxx
>  >http://www.ethereal.com/mailman/listinfo/ethereal-dev
>  
> 
>  
> 
>  
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
> 
>

References:
- Re: Re: [Ethereal-dev] Trying to add new format file
  - From: harsha ss

Prev by Date: [Ethereal-dev] A python extension module for the ethreal's WireTap library
Next by Date: Re: [Ethereal-dev] A python extension module for the ethreal's WireTap library
Previous by thread: Re: Re: [Ethereal-dev] Trying to add new format file
Next by thread: Re: Re: [Ethereal-dev] Trying to add new format file
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$