Wireshark · Ethereal-dev: [Ethereal-dev] Help providing IBM iSeries wiretap

[Martin Warnes <martin@xxxxxxxxxxxxxxxxx>]

Hi All,

I'm looking to write a wiretap module to provide support for the IBM 
iSeries (OS/400) formatted packet trace and from looking at the trace 
output (sample packet below) it appears that it should fit quite well as 
the data appears to be fairly easy to extract, i.e packet number and 
direction always at the same offset etc.

Looking at other modules in the wiretap diectory I think I can get my 
head around most of it but there are a coupe of areas I'm not quite sure 
of. Opening and basic sanity checking of the file to ensure that we are 
dealing with an ASCII TCP trace and not a EBCDIC SNA trace seem fairly 
straight forward, as does forward and backward packet traversal through 
the capture file. The area I'm a little unsure of is the layout of the 
psuedo header and capture data formating, which parts of the capture do 
I need to extract and what is the best way to handle the fact that IP 
header, TCP header and actual data are in different location?

If anyone has some pointers on how to best approach this I would be very 
grateful, as I rather not hack something together now which is a pain in 
the butt to maintain later.

Cheers .. Martin

btw. I don't know if I mentioned this before but Ethereal is able to 
handle SYSTCPDA formatted capture files from the IBM zSeries (OS/390) 
without problems, might be worth mentioning this on the website.


    12   S      270  11:44:02.70938               0006299C14AE  
0006299C14FE   ETHV2   Type: 0800
                     Frame Type :  IP          DSCP: 0   ECN: 00-NECT  
Length:   270   Protocol: TCP         Datagram ID: 388D
                                   Src Addr: 10.20.144.150       Dest 
Addr: 10.20.144.151       Fragment Flags: DON'T,LAST
                     IP Header  :  
4500010E388D40004006CC070A1490960A149097
                     IP Options :  NONE
                     TCP  . . . :  Src Port:  6006,Unassigned    Dest 
Port: 35366,Unassigned
                                   SEQ Number:  2666470792 
('9EEF1D88'X)  ACK Number: 2142148924 ('7FAE993C'X)
                                   Code Bits: ACK PSH                  
Window: 32648  TCP Option: NO OP
                     TCP Header :  
17768A269EEF1D887FAE993C80187F88D92B00000101080A0517ECB0051675B0
        Data . . . . . :  5443503200020010 000000C680000000  
B800000016030100 861000008200806F   *TCP2.......**...*.......*...*.*O*
                          7973A425FB7358A5 0D2586C1511DEE00 
30F5108168AA69F2 0B0969FACB0EFE99   *YS*%*SX*.%**Q.*.0*.*H*I*..I**.***
                          8C04DF400FEDF621 FBEDCFA2F6350035  
53032C2841836EB6 64F971857193C611   **.*@.**|*****5.5S.,(A*N*D*Q*Q**.*
                          FAF0775E454B00AB A4C6354B82AE7FD0  
8AA3B8C6D2D5088B EDE8119B3B45CE5A   ***W¬EK.***5K**.*******.***.*;E*Z*
                          FDA42FD9C056AC16 D963AA0B31DDE92C  
AC538D552F5C9C7B 711C5A6835297014   ***/**V*.*C*.1**,*S*U/.*{Q.ZH5)P.*
                          0301000101160301 003033319054786D  
0CE896E7434C08B3 2433BA8064B7396D   *.........031*TXM.***CL.*$3**D*9M*
                          9EA0AB20A899DC06 9A3404FA5B2CEA16  
4D9CFFA92F80F430 4004               **** ***.*4.*¢,*.M***/**0@. 

----------------------------------------------------------
Scanned by ClamAV antivirus system - http://www.clamav.net
Virus signatures last updated: Mon Oct 31 16:10:33 2005