Wireshark · Wireshark-dev: [Wireshark-dev] ATM Dissector - atm-pdus-untruncated support for libpcap files

Wireshark-dev: [Wireshark-dev] ATM Dissector - atm-pdus-untruncated support for libpcap files

From: João Pedro Fonseca <j.pedro.fonseca@xxxxxxxxxxxxxxx>

Date: Mon, 12 Mar 2007 12:06:28 +0000

Hello,

I'm working on a project that uses an Endace card to capture ATMtraffic. These captures are in ERF format (Endace's proprietary format),and Wireshark can read them perfectly.

However, I'm also using mergecap, editcap and tshark to post-process thefiles, and they convert them to libpcap format, using the atm-pdusencapsulation type.

This encapsulation type states that the AAL5 trailers are not includedin the captured data, but the conversion process leaves the trailer inanyway. This is probably because there is no libpcap equivalent of theatm-pdus-untruncated encapsulation type, and a best effort conversion ismade.

The problem is that the ATM dissector assumes that no trailer ispresent, and some higher-level protocol dissectors (SSCOP, for example)are not working well as a result.

I solved the problem with the attached patch. It adds a"atm.force_untruncated" configuration option to the ATM dissector. Whenset, it assumes the trailer is present, even if the encapsulation typeis atm-pdus.

The perfect way of solving this problem would be to create a libpcapformat equivalent to atm-pdus-untruncated, and modify the ERF->libpcapconversion code to use it - but this may take a little more time andeffort. My patch can serve as a temporary solution to this problem...

Could you please consider the inclusion of this patch in the nextversion of Wireshark?


Thanks,
João Fonseca

--- /tmp/wireshark-0.99.5/epan/dissectors/packet-atm.c	2007-02-01 23:00:48.000000000 +0000
+++ /usr/local/src/wireshark-0.99.5/epan/dissectors/packet-atm.c	2007-03-12 11:45:40.801621033 +0000
@@ -72,6 +72,8 @@
 static dissector_handle_t data_handle;
 
 static gboolean dissect_lanesscop = FALSE;
+static gboolean force_untruncated = FALSE;
+
 
 /*
  * See
@@ -1568,6 +1570,8 @@
   	dissect_lanesscop ) {
   	pinfo->pseudo_header->atm.aal = AAL_SIGNALLING;
   }
+  if ( force_untruncated )
+	  truncated = FALSE;
 
   if (check_col(pinfo->cinfo, COL_PROTOCOL))
     col_set_str(pinfo->cinfo, COL_PROTOCOL, "ATM");
@@ -1711,6 +1715,7 @@
 	prefs_register_bool_preference ( atm_module, "dissect_lane_as_sscop", "Dissect LANE as SSCOP",
 		"Autodection between LANE and SSCOP is hard. As default LANE is preferred",
 		&dissect_lanesscop);
+	 prefs_register_bool_preference ( atm_module, "force_untruncated", "Force atm-pdus-untruncated encapsulation type", "The libpcap format desn't define the atm-pdus-untruncated encapsulation type. This setting assumes atm-pdus-untruncated for DLT_SUNATM captures. Use it when you know the captured data contains AAL5 trailers.", &force_untruncated );
 }
 
 void

Follow-Ups:
- Re: [Wireshark-dev] ATM Dissector - atm-pdus-untruncated support for libpcap files
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] Adding a data item to gsm map
Next by Date: Re: [Wireshark-dev] Adding a data item to gsm map
Previous by thread: Re: [Wireshark-dev] Building on Windows Failed
Next by thread: Re: [Wireshark-dev] ATM Dissector - atm-pdus-untruncated support for libpcap files
Index(es):
- Date
- Thread