Wireshark-dev: Re: [Wireshark-dev] Questions about dev
From: "Neha Chahal" <neha.chahal@xxxxxxxxx>
Date: Wed, 8 Nov 2006 17:31:25 -0800
I try this out as well. Thank you.
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
On 11/7/06, Kukosa, Tomas <tomas.kukosa@xxxxxxxxxxx> wrote:
Hello,
I use a little bit differen solution for a similar problem.
Sometimes I need to dissect proprietray protocols from tracesfiles not
supported by Wireshark.
I use following way:
1) convert trace file to pcap format with linktype DLT_USERx (x=0-15)
simple conversion tool can be written in Perl, Python or whatever you
like
2) register my dissector to WTAP_ENCAP_USERx;
dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);
The advantage is that it does not need any changes (and recompilation)
in Wireshark.
regards,
Tomas
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Neha Chahal
Sent: Tuesday, November 07, 2006 9:13 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Questions about dev
On 11/7/06, Guy Harris <guy@xxxxxxxxxxxx > wrote:
> Neha Chahal wrote:
>
> > The format of the file is binary
>
> "Binary" isn't a format for a packet capture; there are several
capture
> file formats, all of which are binary, but they're not all the same.
> What *specific* binary format is it?
>
> Is this some standard format (libpcap format as used by
> tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
> format, Microsoft Network Monitor format, Sun snoop format, etc.), or
is
> it some format you or somebody else has created?
Yes it is "not" one of these formats. The packets are in LEA binary
format.
>
> > and the protocol is LEA.
>
> What protocol is that?
Law Enforcement Agency protocol for call tracing(lawful intercept
protocol)
>
> > It is a protocol at the application layer. So it is the top most
protocol.
>
> What protocol does it run atop? TCP? UDP? Some other protocol?
>
On top of UDP for my application.
> > So I have to implement both. Is that true?
>
> Yes, you have to implement both read and seek_read functions.
>
> > So my read routine is returning the packet in wth->frame_buffer. But
I
> > have not implementes the seek_read. The README.dev says "implement
> > seek_read if necessary". What does this mean?
>
> It means that the documentation hasn't been updated to indicate that
> there's no longer a "default" seek_read routine that a file format
> module can use, so modules always have to have their own seek_read
> routine. (I've just checked in a change to wiretap/README.developer
to
> fix that.)
>
> > When is it necessary?
>
> Always.
>
> > My packets dont have any transport layer headers. They are in the
> > format I have specified in the dissector. So this is the way my
packet
> > looks like.
> >
> > fixed header
> > payload header
> > variable length payload
>
> So are you saying that the *ONLY* protocol in the packet is this "LEA"
> protocol?
Yes, only LEA.
>
> > In the dissector I have given protocol details starting from the
fixed
> > header. So the packet that I return in the wth->frame_buffer should
> > start from the fixed header to the end of the payload. Is this
> > correct?
>
> Yes.
>
> > Where should the data offset point. At the payload header or at the
> > fixed header ?
>
> At the fixed header - it's the offset to which the seek_read routine
> would need to seek to get the entire packet.
okay.
So once I am done doing these changes. How do I test my changes?
Should I do a make install. And then run tethereal on my binary file.
Currently I am working on the ethereal tar, I downloaded.
Thank you very much, forgive me if I sound stupid. But I am very new
to ethereal/wireshark.
--Neha
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
- References:
- Re: [Wireshark-dev] Questions about dev
- From: Neha Chahal
- Re: [Wireshark-dev] Questions about dev
- From: Kukosa, Tomas
- Re: [Wireshark-dev] Questions about dev
- Prev by Date: [Wireshark-dev] Questions about frame buffer
- Next by Date: [Wireshark-dev] Proposal for a Win32 update functionality -> http://wiki.wireshark.org/Development/Update
- Previous by thread: Re: [Wireshark-dev] Questions about dev
- Next by thread: [Wireshark-dev] net-snmp modules missing?
- Index(es):