> I am trying to make a wiretap module to capture from a hex dump (like
> toshiba and ascend modules).
> Unfortunately, in my hex dump is no information about what type of data
> being captured, but of course that I know the type since I captured it.
The Ascend module appears to look for, among other things, particular
bits of text that appear at the beginning of the printout for a packet,
e.g. "RECV-<name>" and "XMIT-<name>"; it doesn't just look for some
particular per-file header.
Is there no such heuristic that could be used to determine whether the
capture is in the form of your hex dump? Presumably the reader for the
module expects the data to be in some particular format; couldn't the
open routine try to read part of the capture and, if that attempt fails
because the data is in the wrong format, return 0 (meaning "this isn't a
capture in that format")?
It may even be possible to infer from the packet data the encapsulation
type, depending on the encapsulation types it can have.
> The question is, how to tell interactively to wiretap what type of
> capture file and encoding I have at file loading time ?
>
> For instance, wiretap does not recognize the file type, so it should ask
> me
Wiretap could be linked with:
a line-oriented tty program such as Tethereal;
a GUI program such as Ethereal;
a "curses"-based program;
a daemon that doesn't have a user with which to interact;
so Wiretap *can't* directly interact with the user; it'd have to return
some indication to the program and have the *program* interact with the
user (or, if it's a daemon, return to the client some indication that
the *client* should interact with the user), and somehow allow the
program to tell Wiretap how to open the file, or it'd have to take as an
argument a routine that would do all the user interaction, so that the
program could supply such a routine.
However, if there is *any* way to infer from the file that it's *not* a
valid hex dump of the form your module is trying to read, that would be
far better, as it would obviate the need for user interaction to specify
the file type of the file.
What is this hex dump format? Is it a format you can change? If so,
you should probably seriously consider changing it so that a Wiretap
module can relatively easily determine whether it's a file in that
format and, if so, the encapsulation type. (Even if this format was
originally designed for *humans* to read, the encapsulation type would
be useful, so that the human reading it has a chance of figuring out the
capture type without having to look at the raw data.)
> This would be useful in the future, if the number of wiretap modules
> grows, and the heuristic probe of a file type would be more difficult
> and less precise, you have a chance to choose the right type.
It would be useful *if* we ever run into a "brick wall" where it's
simply *impossible* to figure out the file type; so far, we haven't hit
that brick wall, and I've no reason to *assume* we're guaranteed to hit
that wall, and would strongly prefer to wait until we do before we
complicate the programming interface to Wiretap *and* the user interface
to programs using it.
