Ethereal-dev: Re: [Ethereal-dev] Encapsulation formats for MTP3 or M3UA?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Thomas Steffen <steffen.list.account@xxxxxxxxx>
Date: Tue, 2 Aug 2005 13:31:29 +0200
On 8/2/05, Guy Harris <gharris@xxxxxxxxx> wrote:
[MTP2 in linux cooked]
> It could, where "it" is defined as "the Linux kernel developers".
> (I.e., it's ultimately not up to us, as we don't define the packet types
> that are in the address supplied on a recvfrom() on a
> PF_PACKET/SOCK_DGRAM socket, and that libpcap uses to construct the
> cooked capture pseudo-header.)
> 
> They'd want a type that's not a valid Ethernet type, of course.

Of course. The other question is whether they care to define something
that is of no obvious use for them. AFAIK there is no SS7 in the Linux
kernel.

Since it seems that this is the only feasible option, I will see what
can be done.

> > Is there any other option to produce a capture file with contains
> > MTP2, SCTP (and TCP) packets?
> 
> MTP2-over-SCTP, or raw MTP2?

raw MTP2. I have a system with E1 and Ethernet interfaces, and I would
like to trace both in a single capture file. I have access to the
upper layer interfaces of MTP2 and SCTP, so everything below that will
be synthesised (fake). I need to synthesise MTP2 and IP/SCTP, because
I embed information that is important for understanding the trace.
Below that, I would like to synthesise only as much as necessary to
reach a common base format.

I could define my own encapsulation format, and write a dissector
using heuristic format recognition. However, that seems both
inefficient and ugly :-)

> If it's a mix of raw MTP2 and presumably-IP-based SCTP and TCP, there's
> no option for that, currently.  With pcap-NG:
> 
>         http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Unless I misread the draft, it is not possible to generate this format
in real time (on a pipe). So it would be of little use for me.

> you could make the capture have two separate interfaces, one with the
> raw MTP2 and one with the IP-based packets.  Currently, there's no
> support for reading pcap-NG (in Wiretap or in libpcap), however.

And than there is that, too. 

So, no multi-interface analysis? I would have thought this to be a
rather common problem (relatively spoken). But if linux cooked is the
closest there is, I will have another look at it. I could not figure
out how the dissector deals with the protocol types, but maybe I just
didn't look close enough.

Thomas