Wireshark-dev: Re: [Wireshark-dev] Hardware Platform to capture SS7 traffic on TDM lines to Dec
Varuna De Silva wrote:
1. Can we use/modify PCAP to access the contents of the memory, since
the data transfer is through USB and we dont have low level access to
the IC (i.e. before that being sent to the memory)? (I am new to pcap
as well)
In your original message, you said:
Dear friends I am new to the Wireshark community as a developer. As
our final year project
we will be developing a SS7 protocol Analyzer. Here we will be
developing the Hardware
Circuitry to tap a physical E1 line. We have used Dallas Maxim E1/DS1
ICs are being used to
capture the raw data and those data will be ported in to a machine
using a USB IC from FTDI.
Presumably you have a driver of some sort for the USB device that reads
the packets. You would add to libpcap code to open that device and read
packets from it. Discussion of the details of extending libpcap should
be done on the tcpdump-workers@xxxxxxxxxxx mailing list.
2. If we use raw SS7 frames how does WireShark know that they are SS7
messages, Do we have to specify them to be
decoded as SS7 messages?
If you are supplying MTP2 frames (again, with the framing delimiters,
and any bit stuffing, removed), your libpcap device would supply a
link-layer type value of DLT_MTP2 (which doesn't supply any direction
information) or DLT_MTP2_WITH_PHDR (which precedes the MTP2 frame with a
4-byte "pseudo-header" containing:
1 byte with a value of 1 if the packet is going in one direction and
0 if it's going in the other direction (1 is for the "sent" direction,
but if the machine running Wireshark isn't itself sending or receiving
frames, it's not really "sent vs. received", it's just one direction vs.
the other);
1 byte with a value of 0 if extended sequence numbers are being
used, 1 if extended sequence numbers are being used, or 2 if you don't
know whether they're being used or not;
2 bytes, in network byte order (big-endian), with the link number).
