On Thursday, June 26, 2003, at 10:35PM, Naveen Kumar Kaushik wrote:
Capturing and storing
----------------
Step1: How does ethereal know which format should be used for writing
packet or in other words what are the field different in different
file types like pcap,enc etc Since packet structure is same (depending
on Protocol) .
When capturing packets, Ethereal *always* uses libpcap format - that's
its native format.
When saving packets from the File > Save As... menu item, it uses
whatever format the user specifies; the default is the format of the
current capture file.
Step 2: For the case of pcap How does it find out the DLT type
When capturing, it finds out the DLT_ type by calling "pcap_datalink()"
(and, on AIX, checking to see if we got one of the bogus values that
AIX's "pcap_datalink()" returns and converting it to a *normal*
link-layer value).
"pcap_datalink()" gets it from the pcap_t data structure; it's filled
in by "pcap_open_live()" (or "pcap_open_offline()", but Ethereal
doesn't use that) - "pcap_open_live()" gets it by using whatever the
appropriate call is for the OS and packet capture mechanism is.
Step 3: How packets bytes are written on file sequetialy or ....
Yes, they're written sequentially.
Reading
------------
step 1 : You have a device which can give you packets in pcap format
By "reading" do you mean "capturing" (in which case you have a device)
or "reading an existing capture file" (in which case you have a file,
not a device).
step 2 : You get a pointer to start of file.
step 3 : How will you find out DLT type ie is the location of DLT is
fixed from start of file.
If it's a device, this is capturing; see the answer above.
If it's a file, that's done by the routines in the Wiretap library, in
the "wiretap" directory. The way it's done is dependent on the type of
file. There's usually a value in the file header that specifies the
link-layer type.
Note, however, that Ethereal doesn't use DLT_ values there, as it can
read capture files that aren't libpcap files and that have link-layer
types not supported by libpcap (e.g., raw ISDN). It uses WTAP_ENCAP_
values instead.
Step 4 : Now Let us say you know DLT value , How ethereal knows which
protocol discetor to call now (generally not for a particular
protocol)
Ethereal has a general mechanism for using numerical values to look up
dissectors; that mechanism is used to find the dissector for a
particular link-layer type. For example, the Ethernet dissector
registers itself in the table for WTAP_ENCAP_ values with the type
WTAP_ENCAP_ETHERNET:
dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_handle);
