[EMAIL PROTECTED] wrote: > You mentioned that dissector for LAPB & FrameRelay already exist. I do not > see those in my version of WireShark (I am running it under WindowsXP).
"Do not see" in what sense? > Do I have to download any additional software ? No. See epan/dissectors/packet-lapb.c and epan/dissectors/packet-fr.c. > Now if I were to do a similar test on our HDLC ports configured for X.25 or > FrameRelay, what information would I have to put the file header to tell > WireSharek that this is X.25 or FrameRelay capture ? > I would assume that the answer has to do with the "network" field of the > "pcap_hdr_t" structure, but ... what do I have to populate it with ? Can it > be done at all ? For Frame Relay, yes; the value is 107. For LAPB, currently, no. You'd have to ask [email protected] for a value. Note that you should indicate whether the packets in that format start with the address field in the LAPB header or whether they also include a field giving an indication of whether the packet was received or sent (unfortunately, libpcap format doesn't have a direction field in the per-packet header). > Another issue has to do with the requirement to capture traffic from > multiple cards/ports (each data comm card in a chassis has 8 ports) to a > single "capture entity". One of the cards in the chassis is a "system > management card", it runs Linux (this is where WireShark would run). We are > thinking/considering making changes to the libpcap library on this card, to > "expose" all the data comm port on the other cards as "local interfaces" to > WireShark, this way be able to capture traffic from multiple ports at the > same time. Would that be a single stream of packets (i.e., a single pcap_t opened by pcap_open_live())? If so, you'd also want to add a port number in front of the LAPB header, along with possibly adding a direction flag. If the different cards have different link-layer types, it gets more complicated, in that you'd have to put the link-layer type of each packet in the per-packet header - or adopt pcap-NG format: http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html for which support would have to be added in Wiretap (which would involve Wiretap API changes). > In the process part of the libpcap library would have to be > ported to the data comm cards to support run-time filtering ... etc. E.g., adding the BPF interpreter? The implementation in libpcap is BSD-licensed; Linux includes a GPLed implementation. _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
