Wireshark-dev: Re: [Wireshark-dev] UI for packets differing by a checksum on the end
On Thu, Jul 29, 2010 at 3:25 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Jul 29, 2010, at 7:19 AM, Jon Smirl wrote:
>
>> I'm working on the 802.15.4 packet decoder. 802.15.4 packets have a
>> two byte hardware checksum at the end of them. Some sniffer hardware
>> includes this checksum in the packets returned and some hardware
>> doesn't.
>>
>> We've been switching between them by changing the source code:
>> - ieee802154_handle = find_dissector("wpan");
>> + ieee802154_handle = find_dissector("wpan_nofcs");
>>
>> How can i fix this so that I can switch using the UI?
>
> Well, the first question you should ask is "can I fix this so that I don't *need* to switch using the UI?" If the machine doing the capturing knows whether the sniffer hardware includes the FCS or not, users shouldn't *have* to know it and shouldn't *have* to tell Wireshark.
The hardware that is leaving the FCS on encapsulates them as Ethernet
frames with an Ethertype of 0x809a.
In packet-ieee802154.c:
static void
dissect_ieee802154_nofcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
tvbuff_t *new_tvb;
/* If there is no FCS present in the reported packet, then the length of
* the true IEEE 802.15.4 packet is actually 2 bytes longer. Re-create
* the buffer with an extended reported length so that the packet will
* be handled as though the FCS were truncated.
*
* Note, we can't just call tvb_set_reported_length(), because it includes
* checks to ensure that the new reported length is not longer than the old
* reported length (why?), and will throw an exception.
*/
new_tvb = tvb_new_subset(tvb, 0, -1,
tvb_reported_length(tvb)+IEEE802154_FCS_LEN);
/* Call the common dissector. */
dissect_ieee802154_common(new_tvb, pinfo, tree, 0);
} /* dissect_ieee802154_nofcs */
That routine is adding fake fcs bytes to the end of the packet. The
main dissector code assumes the FCS is present.
Adding a check that the packet is not encapsulated in ethertype 0x809a
should do the trick.
How do I check for that?
if (!ethernet encapsulate 0x809a)
new_tvb = tvb_new_subset(tvb, 0, -1,
tvb_reported_length(tvb)+IEEE802154_FCS_LEN);
> In what file format are the captures for those different pieces of hardware? If they're in pcap format, you should ask for a new DLT_ value for "802.15.4 without an FCS", use that DLT_ value for the sniffing hardware that doesn't include the checksum, and map that DLT_ value to the new WTAP_ENCAP_IEEE802_15_4_NOFCS value.
Both pieces of hardware are sending the packets into the Linux
networking subsystem. I'm using Wireshark to capture from the network
devices.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
--
Jon Smirl
jonsmirl@xxxxxxxxx