What works great for me now is the custom DLT and regular PCAP in
Wireshark. The dissector I wrote
allows me to do a search based on that "metadata" and then use WIreshark
to for example play RTP CC data
for SIP calls. I am not sure if pcapng is fully supported if i decide to
implement all that
On May 18, 2019, at 5:03 PM, Damir Franusic wrote:
> And does wireshark currently support new block types and custom options in
> EPBs. I would need to access them in dissector plugin, that's what I'm
> worried about.
There are three types of blocks:
1) standard blocks - you must
And does wireshark currently support new block types and custom options in
EPBs. I would need to access them in dissector plugin, that's what I'm worried
about.
--
Damir Franusic
http://socket.hr
http://github.com/dfranusic
On May 19, 2019 2:00:19 AM GMT+02:00, Guy Harris wrote:
>On May 18,
On May 18, 2019, at 4:26 PM, Damir Franusic wrote:
> I chose pcap since it's older and there's a better change for support and I
> have previously encountered one agency that actually demanded it.
That might be a sufficient reason for pcapng not to be the answer - if there
are law enforcement
On May 18, 2019, at 3:05 PM, Damir Franusic wrote:
> I know it's extensible but ELEE is used for different purpose
LINKTYPE_ELEE is used for the *same* purpose as pcapng - recording timestamped
network events, and metadata for those events and for the capture process, in a
file.
"Target
Hi
LEAs SHOULD accept only ASN.1 BER encoded but that is not the case. I
encountered a case where they wanted us
to convert that ASN.1 back to pcap. And the problem was that IRI is not
packet data and that's why I would like a new DLT so I could either have
a pcap file with all ELLE data or
No I get now what you you're saying. You think that I should rewrite the
draft to explain custom options in
Enhanced Packet Block, rather than using a new DLT ?
On May 12, 2019, at 1:28 PM, Damir Franusic wrote:
> I've tried to be as prompt and as accurate as possible so here is the draft,
> I hope you'll appreciate the effort. I agree
> that the initial thing I sent was an abomination. I will work on this draft
> as the project progresses, but for
On May 18, 2019, at 3:54 PM, Michael Richardson wrote:
> Guy Harris wrote:
>> If we *do* use pcapng, that would mean that:
>
>> 1) Wireshark wouldn't be able to read the lawful intercept information
>> in the files until support for new block types and options are added to
>> it;
>
> Is
Hi
Df_type is a part of CC configuration set by LEA for that target and I
made a little mistake not explaining it properly.
This encoding is only relevant for IRI data in which case, Data can be
either 0x03 ELEE format for IRI which is explained in
3.3.2.1.2.1.2.1.
On May 11, 2019, at 3:42 PM, Michael Richardson wrote:
> Also, it might be that pcapng would actually be a really good container for
> your work rather than inventing yet-another-TLV.
Are there any law enforcement agencies that *will* accept a pcap file but
*won't* accept a pcapng file? *If*
Hi
I know it's extensible but ELEE is used for different purpose but I get you're
trying to say.
--
Damir Franusic
http://socket.hr
http://github.com/dfranusic
On May 18, 2019 11:18:00 PM GMT+02:00, Michael Richardson
wrote:
>Damir Franusic wrote:
>> Hi
>
>> I have read the specs for
Hi
The final link is this one:
http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=http://socket.hr/draft-dfranusic-opsawg-elee-00.xml=html/ascii
..so draft-dfranusic-opsawg-elee-00.xml
Guy has already assigned new DLT and used this link. It seemed more appropriate
to target a specific
Damir Franusic wrote:
> for Lawful Interception Data which can also use SCTP for transport,
should I
> use the following naming
> scheme**instead:***draft-dfranusic-**tsvwg-00 *
No, that would make your draft visible to the Transport WG datatracker, and
unless it is your intention
Damir Franusic wrote:
> Hi
> I have read the specs for pcapng but then again I would have have to use
The
> Simple Packet Block (SPB) or
> An Enhanced Packet Block (EPB) and that would not solve my problem
because of
> this:
pcapng is explicitely designed to be easily
15 matches
Mail list logo