Ethereal-dev: Re: [Ethereal-dev] problems with direction info of PPP/ vj-compressed TCP
On Thu, Jul 24, 2003 at 01:57:19PM +0200, thingstocome@xxxxxxx wrote:
> I am writing this in the hope that someone here knows how to store
> PPP/vj-compressed direction information using wtap_dump() so that it is properly
> recognized when loading the capture file with Ethereal.
> Although I was able to successfully construct and dump PPP frames that can
> be viewed with Ethereal, the direction of vj-compressed packets is always said
> to be unknown.
The only way to have them not be unknown is to write the frames out in a
format that has a direction indication.
Libpcap format is *not* such a format, which means that...
> w_dumper = wtap_dump_open(filename,WTAP_FILE_PCAP ,
> WTAP_ENCAP_PPP_WITH_PHDR,0,&err); /* what is snaplen for ? */
...that won't work.
("snaplen" is for putting into the header of the capture file if the
capture file format has a "frame length limit" field, indicating, when
the capture was done, the "snapshot length" for the capture - if a
"snapshot length" is specified, any frame longer than the snapshot
length will have only the first N bytes, where N is the snapshot length,
written out. Use 65535 if there is no snapshot length.)
The reason we allow libpcap-format files for output with an
encapsulation type of WTAP_ENCAP_PPP_WITH_PHDR is to allow files that
*do* have the direction information to be saved in libpcap format, for
processing by other applications that can only read libpcap format.
Doing so *does* mean that information is lost (the direction information
is lost).
You might try using WTAP_FILE_NETXRAY_2_00x,
WTAP_FILE_NGSNIFFER_UNCOMPRESSED, or WTAP_FILE_VISUAL_NETWORKS instead
of WTAP_FILE_PCAP.
