On Aug 30, 2010, at 11:14 PM, [email protected] wrote:
> Is It that one pcap file only supports only one DLT?
Yes.
If you have a sufficiently recent version of libpcap on your machine, "man
pcap-savefile" will describe the pcap format; you can also see it described at
http://wiki.wireshark.org/FileFormatReference/libpcap
In both of those places you can see that a pcap file has only one file header,
and the DLT value is in the file header, so there's only one DLT value in a
pcap file, so a pcap file, by definition, supports only one DLT.
> If yes what is the best way to meet my requirement? I want to decode multiple
> plug-ins in the same pcap file (without decoding the plug-ins complete stack)
You would have to define a pseudo-protocol that includes a field that indicates
which plugin to call, and put a pseudo-link-layer header with that field in
front of your plugin's data, and then use a single DLT for that pseudo-protocol.
(Wireshark was designed to support protocols on a network, not arbitrary
artificial file formats. Attempts to do something outside what it was designed
for might work, but they aren't going to be as simple as you'd like.)
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
