Wireshark-dev: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard l
From: Gaurav1 Jain <gaurav1.jain@xxxxxx>
Date: Fri, 19 Sep 2008 10:40:05 +0530
Hi,
 
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Friday, September 19, 2008 9:28 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard link-layers
 
 
On Sep 18, 2008, at 8:31 PM, Gaurav1 Jain wrote:
 
> We are using an A104 Sangoma card
 
I.e.:
 
 
> to tap an E1
 
"Tap" as in "just capture traffic passively", using some special
driver that provides packets without the card acting as a regular
network interface (of the type that shows up in, for example, ifconfig
output), or is it attached as a Linux network interface, so that
libpcap is just capturing on it as a standard network interface?
 
If the former, that means you've modified libpcap; if the latter, then
libpcap is treating the card like any other network device, meaning
that it determines the DLT_ for the link layer by asking for its
ARPHRD_ type and:
 
        if it's a known ARPHRD_ type, mapping it to the appropriate DLT_ type
(or perhaps doing the capture in "cooked mode" and using DLT_LINUX_SLL);
 
        if it's not a known ARPHRD_ type, doing the capture in "cooked mode"
and using DLT_LINUX_SLL.
 
Gaurav: yes latter one is the case. If I try to capture the interface using
 
Capture à Options à Link Header Type is displayed as Linux Cooked Mode Capture.
 
When traces are displayed protocol decoded is found to be IP.
 
Otherwise when PCAP file is first captured using WanDriver commands (available with WanPipe) and then open using wireshark TZSP is the protocol being displayed on GUI.
 
> and for an E1, this card provides IP interface (as configured).
 
So what does it mean when it "provides [an] IP interface"?  Does that
mean that the card supplies IP packets, with link-layer headers
stripped off,
 
Gaurav: yes this is the case.
 
or does it supply packets with link-layer headers, with
the driver processing those headers and then stripping them off and
handing them to the IP layer?
 
 
 
> So you can say there is no ICMP/UDP/TCP/SCTP/IP kind of DLT attached
> to traces.
 
There is no "ICMP/UDP/TCP/SCTP/IP kind of DLT" attached to *any*
traces; those are all protocols running atop the link layer.  There is
a DLT_RAW link layer used for packets where there *is* no link-layer
header.
Gaurav: I checked man page of pcap and it says DLT_RAW means packet begins with IP header.
 
 
Are you using Sangoma's Wanpipe software?  If so, see the diagram at
the bottom of
 
 
Where are you connecting to the card in that diagram?
 
Gaurav: We are using HDLC protocol while configuring WANPIPE,
So it should be LIP Protocol stack line where card is getting connected and accordingly ARPHRD_ type should be ARPHRD_HDLC.
 
 
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
 
The information contained in this e-mail is private & confidential and may also be legally privileged. If you are not the intended recipient, please notify us, preferably by e-mail, and do not read, copy or disclose the contents of this message to anyone.