Ethereal-dev: Re: AW: AW: [Ethereal-dev] [Patches] Wiretap support for Catapult DCT 2000 .out

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Martin Mathieson <martin.mathieson@xxxxxxxxxxxx>
Date: Wed, 17 May 2006 17:21:12 +0100
Hi Claudia,

I had a look, and there doesn't seem to be a catapult protocol that directly corresponds to the Ethereal mtp3 dissector (there is a primitive that carries the same information, but this is not sent over the wire...).

If you want to use the DCT2000 format, you could change wiretap/catapult_dct2000.c to set a new encap type when it finds a line with protocol "mtp3" and in epan/dissectors/packet-catatpult-dct2000.c look up the dissector "mtp3" for this encap value (this should be easy to change - see the support for other protocols). The other fields should be easy enough to copy/fake from the example file I sent before, the only ones that really matter are protocol, timestamp and the message data. I wouldn't want this checked in though...

The other, probably better, option is to use "ss7_mtp2" and prefix fake layer 2 information?

Hope this helps,
Martin

Claudia Becker wrote:

Hello Martin,

thanx for your response. It helps a little bit. I didn't capture my
packets in Catapult DCT2000 format. I was only searching for a file
format where I can put ISUP(MTP3), Q.931 and SIP.
That the startpoint for my next request. Could you support MTP3 without
MTP2. That would help me.

Thanx,
Claudia Becker

-----Ursprüngliche Nachricht-----
Von: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx]Im Auftrag von Martin
Mathieson
Gesendet: Montag, 8. Mai 2006 12:48
An: Ethereal development
Betreff: Re: AW: [Ethereal-dev] [Patches] Wiretap support for Catapult
DCT2000 .out files


Hi Claudia,

I'm not aware of any document I could point you to that describes in detail the DCT2000 .out format. I'm not even sure what all of the fields do, and in the interests of forward-compatibility tried to make the parsing not rely upon finding fields I wasn't using.

You may know that the -a flag in the DCT2000 'dctprint' command or the corresponding menu item in 'logviewer' can show absolute time (the full time within that day) while decoding the .out file. The time will always be stored in relative time in the .out file.

Ethereal can show the absolute timestamp of each packet. And you can merge 2 or more .out files together using mergecap (-F dct2000 -T dct2000) or the File | Merge... function in ethereal. While saving the .out file the wiretap module rewrites the timestamp of each packet calculated relative to the absolute start time of the capture (which will be taken from the file with the earliest start-time).

What won't work properly is if you try to set an earlier time using editcap, as it currently doesn't handle re-writing new times
and won't parse -ve relative times....

Hope this helps,
Martin


Claudia Becker wrote:

Hi Martin,

is it possible to get detailed information about the DCT2000 format?
I'm especially interested in the time format. Is it possible to give each
packet an absolute timestamp and not only a timestamp that is relative to
the time in the second line of the file?

Best regards
Claudia Becker

-----Ursprüngliche Nachricht-----
Von: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx]Im Auftrag von Martin
Mathieson
Gesendet: Mittwoch, 12. April 2006 19:14
An: Ethereal development
Betreff: [Ethereal-dev] [Patches] Wiretap support for Catapult DCT2000
.out files


Hi,

This attached patch and new files provide support for Catapult DCT2000 .out files to wiretap and ethereal.

This wiretap support (catapult_dct2000.c+h) appends a short header to each packet giving some context, and a corresponding ethereal dissector (packet-catapult-dct2000.c) parses this before passing the real payload onto an existing ethereal dissector (for ethernet, ip, lapd, ppp, frame-relay,...).

For now, there is only support for saving dct2000 files in their own format, although I may add support for converting between dct2000 and libpcap later.

I've also attached a short capture file (test.out) used to test each of the supported link-type protocols. I know some of these messages show as malformed (they are mostly taken from low-level protocol tests), but they are enough to illustrate/verify the mapping between DCT2000 protocols and ethereal dissectors.

I've tested this with quite a few test files (I work at Catapult), and reading/writing/merging works well for me. I've also done some testing with mergecap and editcap (encap string is "dct2000") which seems to work. This is the first wiretap module I've added, so any comments/suggestions are very welcome.

Best regards,
Martin

P.S. the diff file contains small, unrelated RTCP dissector changes, could these please be applied too...?


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev




_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev