[EMAIL PROTECTED] schrieb: > I'm trying to figure out how to format (or where to place the data) > in the pcap buffer when capturing my WAN protocols. > > I've built a system that will capture the data and feed it via pcap to > wireshark, > and I've got it working for Ethernet data and for frame relay data, but I'm > having > trouble dealing with getting the proprietary data into wireshark intact so > that > I can later write a disector. > > (I'm going to test everything out before submitting my requests for a set > of DLT_ > mumbers for these protocols. In the mean time, I've just taken the next > few > currently un-assigned ones while I work on my code). > > The trouble is that I don't know what values to put into: off_linktype, > off_nl > and off_nl_nosnap for my DLT cases. (And I think thats where my problem > lies.) > > Right now, the first thing in each received buffer is the typical 16 bytes > of: > timestamp_sec, timestamp_usec, capture_len, pkt_len, which is > followed by 'n' bytes of my protocol's data. > > > > Here's the stuff that I captured and fed into pcap/wireshark: > > Pkt 1 hdr : 46 93 ae 55 00 0c df 4b 00 00 00 0b 00 00 00 0b > \---------/ \---------/ \---------/ \---------/ > timestamp timestamp capture len packet len > > Pkt 1 data: 01 02 03 01 47 50 70 03 64 7f 7f > \------------------------------/ > 0xb bytes of my captured data > > > Pkt 2 hdr : 46 93 ae 56 00 02 3b 7e 00 00 0b 00 00 00 0b > Pkt 2 data: 01 02 03 01 3b 50 70 03 18 7f 7f > > Pkt 3 hdr : 46 93 ae 56 00 06 dd db 00 00 00 0b 00 00 00 0b > Pkt 3 data: 01 02 03 01 47 50 70 03 64 7f 7f > > ... > > > When Wireshark goes to display it, the Protocol column says 'unknown', > which I can understand, because I don't have any disectors for that > DLT (WTYP_ENCAP) type yet. > > The Info column says WTAP_ENCAP = 94. > (I don't see where it gets the value of '94' from.) > > The summary pane (for the first message) says: > > Frame 1 had (6 bytes on wire, 6 bytes captured) > Data (6 bytes) > > and the (related) detail pane says: > > 0000 7f 56 ae 93 46 7e > > > I can reverse engineer (see that data pattern in the header of the 2nd data > message), but I don't know why its looking in there, and why it thinks > there is only 6 bytes of data, and why its looking at it with the endianess > it is. > > > For the life of me, I can't figure out what I'm doing wrong, > to cause Wireshark to go looking in there. > > I have tried to look through docs and mailing lists, > but I haven't found anything to help me yet. :-( > Did you noticed http://wiki.wireshark.org/Development/LibpcapFileFormat?
Regards, ULFL _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
