Wireshark-dev: Re: [Wireshark-dev] capturing data from a propietary device
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 10:34:08 -0700
Fulko.Hew@xxxxxxxxx wrote:

OK.  And yes, one of the goals is to be able to use BPF.
But I think I'm beginning to agree with you, its not on the
'off_xxx' variables.  Nothing I do there seems to change
the symptoms.  But I'd still like to know what the appropriate
values would be.  -1 to disable or zero as the offset.

The reason I ask is because I intend to insert a few bytes
of 'level 1 signalling/status info that would have to be
skipped by the display routines.

Those variables don't affect the dissectors in Wireshark.

The appropriate values would depend on the particular protocol and format of packets for the protocol. What do those protocols look like?

No I am not currently using Wireshark to write/read a libpcap-format file.
I was going to verify that portion after getting the capture/display
part working.

If you're displaying packets, you *are* using Wireshark to write and read a libpcap-format file; if you're doing a capture in Wireshark, the packets are written to a libpcap-format file, and the displayed packets are read from that file.

Capturing in Wireshark is done in the capture_loop_dispatch() routine in capture_loop.c. It calls pcap_dispatch(), with capture_loop_packet_cb() as the callback routine. That routine just calls libpcap_write_packet() with the appropriate pcap_t, the struct pcap_pkthdr it was handed, and the raw packet data it was handed.

libpcap_write_packet(), in pcapio.c, just constructs a libpcap-format header, writes it, and writes the packet data. (I have plans to add some new APIs to libpcap that should make it possible to just use libpcap - the ability to get reasonable error indications from the "write a packet" routine, and a pcap_dump_fdopen()-style routine, would be necessary.)