Ethereal-dev: Re: [Ethereal-dev] Support for pure protocol packets without underlying protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Matthijs Melchior <mmelchior@xxxxxxxxx>
Date: Tue, 01 Jul 2003 22:49:39 +0200
Jeff Morriss wrote:


Guy Harris wrote:

On Tue, Jun 24, 2003 at 05:14:56PM +0530, Navin Anand wrote:


The modified files are:
libpcap.c
407,413d406
<
<       /*
<        * 20 Added for the fake link type, required to dissect packets
<        * containing higher layer protocol payload without the lower layer
<        * protocol headers, e.g. pure TCP data without underlying IP.
<        */
<       { 20,           WTAP_ENCAP_FAKE_LINK },

There is no guarantee that a DLT_ value of 20 isn't being used
somewhere; it's best to request a DLT_ value from tcpdump.org - or to
define your own capture file format for your application, with its own
magic number, rather than using libpcap format.
Having just used libwiretap to dump packets to a PCAP file, I must admit that I like using that format (just for ease of use). 
....
I have been using this to convert binary payload to a .pcap file:

od -Ax -tx1 stream | text2pcap -m1460 -T1234,5678 - stream.pcap

Together with a dissector that lets ethereal desegment the tcp stream,
I have had good results dissecting my data stream.
Desegmentation is managed by giving a hint where the next dissector
call should start when an exception occurs.

--
----------------------------------------------------------------  -o)
Matthijs Melchior                                       Maarssen  /\\
mmelchior@xxxxxxxxx                                  Netherlands _\_v
---------------------------------------------------------------- ----