Ethereal-dev: Re: [Ethereal-dev] updated fakelink dissector + (new) README.fakelink

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jeff Morriss <morriss@xxxxxxxxx>
Date: Tue, 12 Aug 2003 16:48:17 -0400


Guy Harris wrote:


On Tuesday, July 8, 2003, at 2:04 PM, Jeff Morriss wrote:

1) What is the fake link layer?
---------------------------------

The fake link layer is a dissector in Ethereal that allows Ethereal to read
a capture file (in PCAP format: fake link has (TODO: will have) its own
DLT_ file format identifier reserved in libpcap) that contains some protocol layer without any of the lower level protocol parts (headers, trailers) on it. Examples include MTP3 without the MTP2 header or SCCP without MTP3 (or below). A (TODO: bad?) non-SS7 example would be TCP without IP (and without Ethernet).

Why? Because there are some protocols that Ethereal understands most of but could not (prior to Fake Link) decode directly because those protocols don't run over a link layer that Ethereal understands. A good example of this is SS7: Ethereal understands a good number of the SS7 protocols because people
have developed dissectors for use with SIGTRAN (SS7 over IP) but Ethereal
can not capture directly from SS7 links.


It can't capture directly from ISDN links, either, but it does understand ISDN links, at least at the level of frame plus channel number (the D channel is dissected as LAPD; the B channel is dissected as V.120 or PPP-in-HDLC-like-encapsulation, depending on heuristics). The same applies to SDLC.

It understands those link layers because it can read captures from other network analyzers that can do that (because they have hardware pods to do so, as in the case of, for example, a Network Associates Sniffer(R)).

Good point. In fact we don't have any standardized file format that we can (easily) use, so we're try to just use the PCAP file format(s).

3) How to write a fake link layer PCAP file?
----------------------------------------------

There are 2 methods that you can use to write out a fake link PCAP capture file: by using the Wiretap library (part of Ethereal) or by writing the file out directly from your application. It would make sense that libpcap could be used directly (which could be advantageous since it has a BSD license) but the APIs for libpcap do not seem to allow writing protocol packets to a file
directly (it seems geared more towards capture-and-writing).


You could, with more recent versions of libpcap, probably cheat by calling "pcap_open_dead()" and using the pcap_t * you get back from that as the argument to "pcap_dump_open()".

Okay, yes, that works well, too...  Thanks for the pointer.



Does anybody have any thoughts on what direction to take with this?

I'm leaning towards asking 'tcpdump-workers' for some new LINKTYPE_ definitions:

LINKTYPE_MTP2
LINKTYPE_MTP3
LINKTYPE_SCCP (Navin, I assume you want this one?  I don't need it)

and ditch the "fake link" dissector for now. (But I'd like some level of agreement before doing so.)

Regards,
-Jeff