Wireshark · Wireshark-dev: Re: [Wireshark-dev] wiretap - using as a library rather than coupled with Wireshark?

[Tim Furlong <dev.null.2007@xxxxxxxxx>]

Hi Richard,

Sorry for the delay in getting back to you - and I wish I had more time to look into it before responding, but the baby will be up soon and I wanted to follow up while I had a few minutes.

Also, quick but important caveat: I'm a dev-list lurker, as opposed to a core Wireshark developer, and my opinions are entirely my own - I'll happily to defer to them on any of the below.  But, since I opened my big keyboard about editcap in the first place, I'll do what I can. :-)

One of the biggest challenges you'll face in this is that the code to parse radiotap is in epan/dissectors and gets compiled into libwireshark; you won't want to pull libwireshark in to editcap (it'd kind of defeat the purpose of editcap).  Didn't locate the airopeek code, but believe it's in libwiretap, which should be fine.  Also, I don't know if there's code to generate radiotap headers, though I'd be inclined to follow through what wireshark does when doing a wi-fi capture to try and find it (well, doing the capture first to confirm that it.

Actually, come to think of it, if you can do wi-fi capture with dumpcap, then there is probably code somewhere to write radiotap without going to libwireshark, so you might be in luck - though you'd want to confirm with a test capture that dumpcap does write radiotap headers before you sink much time into that.  For translating from airopeek, though, as Guy indicated, you're likely going to do the heavy lifting on that yourself.  My inclination would be to do concurrent Wireshark and Airopeek captures on the same network at the same time, if possible, and then use the two captures to figure out your field mappings - or at least, to start doing so.

Sorry I can't be of more help, but hopefully there's something useful in the above. :P

Thanks, and good luck,

-Tim

On Mon, Nov 30, 2015 at 7:27 PM, Richard Kinder <rkinder@xxxxxxxxxxxxx> wrote:

Hi Guy, Tim,

Thanks for this input. I think modification of editpcap is the best path forward for this problem.

The files I'm looking at converting are indeed Airopeek, so I'll need to add support for translation of the peek* metadata to radiotap. Any pointers as to where to start, architectural overviews of libwiretap or documentation are greatly appreciated.

Regards,
Richard

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
Sent: Saturday, 28 November 2015 4:54 AM
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Cc: Richard Kinder <rkinder@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] wiretap - using as a library rather than coupled with Wireshark?


On Nov 27, 2015, at 7:09 AM, Tim Furlong <dev.null.2007@xxxxxxxxx> wrote:

> Sorry if I'm just missing something, but would editcap itself do the job?
>
> editcap <in.pkt> <out.pcapng>
>
> should read your Wildpackets file and produce a pcapng file; add a "-F pcap" for pcap format instead.

...as long as it's not an AiroPeek capture or an OmniPeek Wi-Fi capture, as *that* would require translating the radio metadata headers from either of the *Peek formats to a format supported in pcap/pcapng files, such as radiotap.  editcap doesn't look at the packet contents, and can't do that translation.


This email, including its contents and any attachment(s), may contain confidential information of Quantenna Communications, Inc. and is solely for the intended recipient(s). If you may have received this in error, please contact the sender and permanently delete this email, its contents and any attachment(s).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

--

Tim Furlong
tim.furlong@xxxxxxxxx