Ethereal-users: [Ethereal-users] Capturing ISDN -- with text2pcap?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: James Mastros <james@xxxxxxxxxxx>
Date: Tue, 22 Jul 2003 10:49:54 +0200
Hello, all,
I'm attempting to debug an isdn4linux problem, and have started to look at the debug output, which is a bunch of syslog lines of the form "Jul 22 01:53:56 desert-island isdnlog: HEX: 00 91 01 05 ". I'm trying to transform this into a pcap capture file with the text2pcap tool, but I'm running into (at least, of course) two problems. Zerothly, is there a better way to do this? I tried capturing against ippp0, but that didn't catch anything at all when I tried calling a dummy number. Presumably, it only captures PPP-over-ISDN packets, which isn't what I'm looking for.
 Anyway, asuming there isn't a better way, what I'm doing is basicly
cat /var/log/messages | grep HEX | sed 's/desert-island isdnlog: HEX:/000000/' | ./text2pcap -t '%b %d %H:%M:%S' - logHEX.pcap This gives me two problems. The first is minor: The date/time doesn't get processed correctly. The reason is that the state machine sees the two-hex-digit string "22" in the above, and assumes it's a byte, rather then a part of the preamble. The solution would seem to be to consider bytes before the offset on a line to be preamble rather then byte, but that may have undesirable consequences for line-wrapped packets. (OTOH, I don't understand how these are delt with at all, and why the day-of-month isn't making it in as a data byte as things exist now.) To implement that idea, add a case T_BYTE: before line 880 of text2pcap.c (I think). The second, more major problem: I don't know how to get etheral to decode it as ISDN packets. If I try the niave way of doing it, as above, it tries to interpret them as ethernet, reasonably enough. Reading the manpage, the proper way to do it seems to be to give a -l parameter, with the proper link-layer type, as a BPF_* constant. Unfornatly, there doesn't seem to be one of those for ISDN. I looked at wiretap/i4btrace.c, hoping I could see what it did and do likewise. It uses wth->file_encap = WTAP_ENCAP_ISDN;, IE 17, but that doesn't work -- apparently, WTAP_ENCAP_s aren't the same as BPF_* protocols; using -l 17 makes Ethereal try to decode as PFLOG-OLD. Is what I'm trying to do possible without porting text2pcap to wiretap? (That is to say, making wiretap support WTAP_FILE_HEXDUMP.) BTW, the data seems to be at the LPAD level, meaning, if I read packet- isdn.c:dissect_isdn correctly, I may need to prepend some sort of psudo- header anyway. This may be more work then it's worth...

	-=-James Mastros