I was wondering (since live capturing of frame relay packets using the libpcap packet driver is depentant on various factors) how feasible is it to dissect frame relay packets on sniffer capture files (e.g. capture a trace with a hardware analyser such as domino and feed that to ethereal or tcpdump) under windows or HP-UX (10.xx or above). How is ethereal able to dissect FR from trace files?
Looking at the ethereal code a DLT_*type has been defined for FR in the wiretap library, how did that value came up? Cheers, George P. >From: Guy Harris <[EMAIL PROTECTED]> >To: Georgios Papadopoulos <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: [tcpdump-workers] Frame relay >Date: Sun, 7 Oct 2001 17:23:01 -0700 > >On Fri, Oct 05, 2001 at 02:33:19PM +0100, Georgios Papadopoulos wrote: > > I was wondering if it is possible to capture frame relay traffic from a > > wire, using libpcap or WinPcap. > > > > Does libpcap have the ability to detect the encapsulation type of a >packet > > if that is frame relay, using pcap_datalink()? > >Only if the OS and raw packet capture mechanism atop which it runs can >do so. > >FreeBSD's tcpdump has a "print-fr.c" file, but FreeBSD has no DLT_ type >for frame relay, and the dissector in "print-fr.c" never gets called, >which suggests that the underlying packet capture mechanism may not >handle "raw" frame relay - the OS may only run, for example, PPP over >Frame Relay, so the traffic will look like PPP traffic, with DLT_PPP as >the encapsulation type. > >BSD/OS has a DLT_FR type, but I don't know what the link-layer headers >on DLT_FR captures are in BSD/OS - i.e., BSD/OS's libpcap may support >it, but we don't have enough information to add that support to >tcpdump.org's libpcap (or to programs that run atop libpcap, such as >tcpdump or Ethereal). > >Linux has ARPHRD_DLCI and ARPHRD_FRAD, but I don't know what link-layer >headers show up when capturing from a PF_PACKET/SOCK_RAW socket on such >a device, or whether, as is all too often the case on Linux, the >link-layer headers include random unpredictable crap. > >DLPI has a link-layer type code for Frame Relay LAPF, but I don't know >what shows up if you capture on it. > >I don't know what happens on Win32 systems with the WinPcap driver; NDIS >has the annoying characteristic of having only a generic NdisMediumWan >link-layer type, which isn't sufficient to indicate whether the >link-layer header will be PPP, or some form of raw Frame Relay, or.... > >See > > http://www.ethereal.com/lists/ethereal-dev/200101/msg00065.html > >for a mail message from January 2001 about some of these issues. > >So: > > if a Frame Relay network interface is running as a PPP interface > (PPP-over-Frame-Relay), the underlying packet capture mechanism > will probably make it look like other PPP devices, and libpcap > will be able to capture from it if it can do so on other PPP > devices (which it *can't* do, for example, on Windows NT/2000), > but the capture will just be a PPP capture; > > otherwise, if the interface doesn't look like a PPP interface: > > on Linux, it might work, but it'll currently work as a > "cooked mode" capture, and not show any Frame Relay > link-layer headers - we'd need to send code to somebody > with a Linux machine with a Frame Relay interface, and > have them test out changes, in order to see whether we > can see the Frame Relay headers and, if we can, to debug > code to show those headers; > > on other OS platforms, we'd need to send code to > somebody with that OS and with a Frame Relay interface, > and have them test out changes, in order to see whether > we can make libpcap work and, if we can, to debug code > to make it work. >- >This is the TCPDUMP workers list. It is archived at >http://www.tcpdump.org/lists/workers/index.html >To unsubscribe use >mailto:[EMAIL PROTECTED]?body=unsubscribe _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
