Wireshark · Ethereal-dev: [Ethereal-dev] Capturing DOCSIS frames

Ethereal-dev: [Ethereal-dev] Capturing DOCSIS frames

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Anand V. Narwani" <anarwani@xxxxxxxxx>

Date: Mon, 05 Aug 2002 17:37:15 -0400

folks,
I'm trying to fix the DOCSIS plugin so that I can correctly identify packet types when capturing DOCSIS frames. I've added a capture_docsis() routine to correctly call capture_eth() for Data PDU's and it increment the "Other" protocol for non-data pdu's.
To refresh everyone's memory the DOCSIS plugin depends on a preference being set in packet-frame.c to force ethereal to treat all frames as DOCSIS frames. Essentially the following code is at the very top of dissect_frame():
if ((force_docsis_encap) && (docsis_handle)) { pinfo->fd->lnk_t = WTAP_ENCAP_DOCSIS; }This has the effect of dissect_docsis being called when dissector_try_port is called later on.

Here are the possible solutions I have come up with thus far:

Solution 1 (modify capture.c):
1. In capture() check for the force_docsis_encap preference and set ld.linktype = WTAP_ENCAP_DOCSIS.
2. In capture_pcap_cb() add a case to switch(ld->linktype) to check for WTAP_ENCAP_DOCSIS. If it is set, then call capture_docsis().

Problems with this solution:
1. force_docsis_encap must now be globally visible.
2. I now have a reference to capture_docsis() in capture.c, but this exists in the docsis plugin. I am unable to link as ld is unable to find the symbol capture_docsis. One solution was to add a pointer to the function capture_docsis and initialise that inside plugin_reg_handoff(). This way I can check for both the existence of the DOCSIS plugin as well as the setting of the force_docsis_encap preference. Again, the pointer must now have global scope.

Solution 2 (Add a new DLT_ type):
1. Go to the tcpdump folks and get a new DLT_ type for DOCSIS packets.
2. Add an entry to pcap_to_wtap_map[] in libpcap.c
3. In capture_pcap_cb() add a case to switch(ld->linktype) to check for WTAP_ENCAP_DOCSIS. If it is set, then call capture_docsis().

Problems with this solution:
1. How can I tell libpcap that the frames it is seeing are DOCSIS frames?
2. I have the same problem as outlined in 2. above: How can I access a symbol that exists in a shared object; i.e the DOCSIS plugin?

I realise that the root problem with this is that we are capturing DOCSIS frames off of an Ethernet port and that what we end up with is a nasty hack that forces Ethereal to treat all frames as DOCSIS frames. So the answer might be to leave well enough alone and live with the strange numbers in the protocol capture Window. I'd like to get your opinions on whether or not there is a better way to do this.

Thanks,
Anand

--
Anand V. Narwani, CCIE 3892
Advanced Engineering Services
Cisco Systems, Inc.
Direct/Fax: 919.392.3404
Email: anarwani@xxxxxxxxx

"Meddle not in the affairs of dragons, for you are crunchy and taste good with ketchup"

Prev by Date: Re: [Ethereal-dev] register_dissector_table from within a plugin
Next by Date: [Ethereal-dev] patch for wtap.h
Previous by thread: Re: [Ethereal-dev] register_dissector_table from within a plugin
Next by thread: [Ethereal-dev] patch for wtap.h
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$