Wireshark · Ethereal-dev: [ethereal-dev] Wiretap in CVS now

Ethereal-dev: [ethereal-dev] Wiretap in CVS now

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: gram@xxxxxxxxxxxxxxxxxxx (Gilbert Ramirez Jr.)

Date: Thu, 12 Nov 1998 00:35:09 -0600 (CST)

(but even non-CVS users will be interested. Read on....)

I have just added the wiretap library to the CVS tree. There are 2 parts to
the wiretap library, the capture-file reading part, which is in the CVS
tree, and the packet-filtering part, which is on my home computer and is not
usable yet, and therefore _not_ in the CVS tree.

By default ('./configure'), wiretap is not linked into ethereal. You can
link it with './configure --with-wiretap'. If you use wiretap now in it's
infant stage, you will lose the capability of using display filters.
However, you gain the capability of reading pcap files, Sniffer files, and
LANalyzer files. (I just added the LANalyzer code tonight).

Note: the Sniffer and LANalyzer code just provide the raw packet data right
now. I have yet to write the code to provide the timestamps for each packet.
It will be done soon, though.

I am looking for testers for wiretap, especially the Sniffer-reading code.
The Sniffer file format is not published AFAIK, so I am decoding hex dumps
of Sniffer trace files. I have plenty of Token-Ring traces, but only one
ethernet trace file (thanks to Don Lafontaine). I am not yet sure if there
is a field in the Sniffer trace file header section which denotes data link
type, or if it's the filename extension (*.enc vs *.trc vs *.frc). If you
have a Sniffer trace file which bombs under wiretap, I'd love to receive a
copy of it.

Since I'm very interested in getting many users of the Sniffer-reading code,
I have made a patch for those users who use ethereal-0.4.1 and do not have
access to the CVS tree. The next release of ethereal (with wiretap) should
be released soon (gerald has some exciting new code to put in), but if
you're really bleeding-edge and want to try wiretap, you can download the
patch from http://ethereal.zing.org/~gram/wiretap.html This will bring your
ethereal-0.4.1 version up to par with the current CVS tree.
(current == Thu Nov 12 00:28:00 CST 1998)

Oh, and my CVS-update modified every packet-*.c file in ethereal. I removed
the '#include <pcap.h>' line from every packet-*.c file. This is a vestigial
line from the early days of ethereal, when Gerald had the code arranged
differently. I started copying his packet-*.c files, and so did everyone
else, and after ethereal changed a bit, we just overlooked the fact that
none of the packet-*.c files call any libpcap functions or use the
DLT_* macros from pcap.h!

--gilbert

-- 
Gilbert Ramirez                Voice:  +1 210 358 4032
Technical Services             Fax:    +1 210 358 1122
University Health System       San Antonio, Texas, USA

Follow-Ups:
- Re: [ethereal-dev] Wiretap in CVS now
  - From: Guy Harris
- Re: [ethereal-dev] Wiretap in CVS now
  - From: Guy Harris

Prev by Date: [ethereal-dev] Reading Sniffer files
Next by Date: Re: [ethereal-dev] Wiretap in CVS now
Previous by thread: [ethereal-dev] Reading Sniffer files
Next by thread: Re: [ethereal-dev] Wiretap in CVS now
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$