Wireshark · Ethereal-dev: Re: [Ethereal-dev] Patch for writing Novell LanAlyzer files

Ethereal-dev: Re: [Ethereal-dev] Patch for writing Novell LanAlyzer files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Mon, 24 Jun 2002 13:37:05 -0700

On Mon, Jun 24, 2002 at 01:05:05PM +0200, Markus Steinmann wrote:
> This is only tested with a i386 Linux system, and maybe there
> are some more things to do for other platforms.

Yes, there are.

For one thing, it uses a routine "timersub()" which appears not to be
present on Solaris, and is probably not present on some other platforms
as well; I'd suggest doing the subtraction by hand.

Also, it uses C++-style comments, but it's C code; not all C compilers
accept C++-style commands, so use C-style comments instead.

A few other comments:

	1) in "lanalyzer_dump_header()", it sets "sr.s.board_type" to a
	   hard-wired value of 225; you should use BOARD_325 instead, to
	   make it clear what it's doing.

	2) "lanalyzer_dump_can_write_encap()" wasn't ever returning an
	   error, but it appears the LANalyzer format can't handle
	   captures where each packet has its own link-layer type, so it
	   should return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED if the
	   "encap" argument is WTAP_ENCAP_PER_PACKET, and it appears
	   that the LANalyzer-writing code can only write Ethernet
	   captures, so if the "encap" argument isn't
	   WTAP_ENCAP_ETHERNET (and isn't WTAP_ENCAP_PER_PACKET), it
	   should return WTAP_ERR_UNSUPPORTED_ENCAP:

/*---------------------------------------------------
   Returns 0 if we could write the specified encapsulation type,
   an error indication otherwise.
---------------------------------------------------*/
       
int lanalyzer_dump_can_write_encap(int encap)
{
        /* Per-packet encapsulations aren't supported. */
	if (encap == WTAP_ENCAP_PER_PACKET)
		return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
      
	if (encap != WTAP_ENCAP_ETHERNET)
		return WTAP_ERR_UNSUPPORTED_ENCAP;

	return 0;
}

	3) "lanalyzer_dump_header()" isn't used outside "lanalyzer.c",
	   so it should be static.

> There are two more points to consider:
> The lanalyzer file format is limited to 32k packets per file,
> this is not implemented.
> And I have up to now not tested if it works with sliced
> packets.
> 
> Where can I switch on the packet size limit to generate an
> sliced packet trace file?

To slice the captures to a maximum packet size, turn on the "Limit each
packet to [ ...] bytes" option in the "Capture Options" dialog box, and
put the limit you want into the spin box with the number in it.

Follow-Ups:
- [Ethereal-dev] Patch 2 for writing Novell LanAlyzer files
  - From: Markus Steinmann

References:
- [Ethereal-dev] Patch for writing Novell LanAlyzer files
  - From: Markus Steinmann

Prev by Date: Re: [Ethereal-dev] Dissector for DOCSIS
Next by Date: [Ethereal-dev] Plotting TCP Streams - poor man's tool
Previous by thread: [Ethereal-dev] Patch for writing Novell LanAlyzer files
Next by thread: [Ethereal-dev] Patch 2 for writing Novell LanAlyzer files
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$