Hello, all,
I'm attempting to debug an isdn4linux problem, and have started to look
at the debug output, which is a bunch of syslog lines of the form "Jul 22
01:53:56 desert-island isdnlog: HEX: 00 91 01 05 ". I'm trying to
transform this into a pcap capture file with the text2pcap tool, but I'm
running into (at least, of course) two problems.
Zerothly, is there a better way to do this? I tried capturing against
ippp0, but that didn't catch anything at all when I tried calling a dummy
number. Presumably, it only captures PPP-over-ISDN packets, which isn't
what I'm looking for.
Anyway, asuming there isn't a better way, what I'm doing is basicly
cat /var/log/messages | grep HEX | sed 's/desert-island isdnlog:
HEX:/000000/' | ./text2pcap -t '%b %d %H:%M:%S' - logHEX.pcap
This gives me two problems. The first is minor: The date/time doesn't
get processed correctly. The reason is that the state machine sees the
two-hex-digit string "22" in the above, and assumes it's a byte, rather
then a part of the preamble. The solution would seem to be to consider
bytes before the offset on a line to be preamble rather then byte, but that
may have undesirable consequences for line-wrapped packets. (OTOH, I don't
understand how these are delt with at all, and why the day-of-month isn't
making it in as a data byte as things exist now.) To implement that idea,
add a case T_BYTE: before line 880 of text2pcap.c (I think).
The second, more major problem: I don't know how to get etheral to decode
it as ISDN packets. If I try the niave way of doing it, as above, it tries
to interpret them as ethernet, reasonably enough. Reading the manpage, the
proper way to do it seems to be to give a -l parameter, with the proper
link-layer type, as a BPF_* constant. Unfornatly, there doesn't seem to be
one of those for ISDN. I looked at wiretap/i4btrace.c, hoping I could see
what it did and do likewise. It uses wth->file_encap = WTAP_ENCAP_ISDN;,
IE 17, but that doesn't work -- apparently, WTAP_ENCAP_s aren't the same as
BPF_* protocols; using -l 17 makes Ethereal try to decode as PFLOG-OLD. Is
what I'm trying to do possible without porting text2pcap to wiretap? (That
is to say, making wiretap support WTAP_FILE_HEXDUMP.)
BTW, the data seems to be at the LPAD level, meaning, if I read packet-
isdn.c:dissect_isdn correctly, I may need to prepend some sort of psudo-
header anyway. This may be more work then it's worth...
-=-James Mastros