I'd like to use an existing file format, if possible. I have control of
creating the output file from another application. Do you know where I
can get documentation on the libpcap format to see if I can use that to
contain non-ethernet data?
The data I'm saving is similar to HDLC. The HDLC frames can either be
supervisory frames, or data frames that encapsulate other protocol(s)
already decoded by Ethereal. I think I understand the tasks for
creating a disector for the hdlc frame and calling the existing disector
for the payload of data frames.
Thanks for your help.
-----Original Message-----
From: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Monday, September 13, 2004 2:23 PM
To: Ethereal development
Subject: Re: [Ethereal-dev] non-ethernet use of ethereal
Ray Rizzuto wrote:
> I would like to create a disector that will decode packets that have
> NO ethernet or IP headers. My disector will decode a proprietary link
> level, then make use of existing disectors to decode the payload. Is
> this possible?
Yes. We certainly support link layers other than Ethernet, and support
protocols running atop Ethernet - or other link layers - other than IP.
> Any hints on where to get started?
For starters, you will have to be able to read some capture file format
that encapsulates your packets.
If you're not using an existing capture file format, you will have to
add to Wiretap (the library Ethereal, Tethereal, etc. use to read and
write capture files; it's in the "wiretap" subdirectory of the source)
the ability to read that file format, if it's not a format it already
reads.
If your link-layer protocol is the lowest-layer protocol that will be in
the capture file, you will need a WTAP_ENCAP value to "wiretap/wtap.h"
for that type, and will need to have the code in Wiretap that reads
your capture files recognize captures with your protocol and use that
encapsulation type. Note that if this is going to be a private version
of Ethereal not supplied outside your organization, you can use one of
the WTAP_ENCAP_USER{N} types - they were added specifically for this
purpose, i.e. private encapsulation types. If you'll be making your
changes to Ethereal publicly available, you should add a new WTAP_ENCAP
value, and send your changes to us to make them part of the standard
Ethereal release.
You will then make your dissector for your protocol register itself as
the handler for that WTAP_ENCAP value with a call to "dissector_add()",
using "wtap_encap" as the dissector table name and the WTAP_ENCAP value
name as the value. See other calls to "dissector_add()" for examples.
If your protocol *isn't* the lowest-layer protocol, you'd have to
arrange that your dissector be called by the dissector for the protocol
below it. How that'd be done depends on that dissector; it might be
possible to have your dissector register itself as the handler for some
value.
Your dissector would then have to arrange to call dissectors for the
protocol running atop it. We'd have to know how that'd be done - for
example, if there's a "protocol type" value in your link-layer protocol,
you might have to add a dissector table for that value and modify the
other dissectors to register in your table, or, if the table has the
same values as some other protocol's protocol type field (e.g., Ethernet
types), you might be able to use that protocol's dissector table.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
