On Wed, Jul 28, 2004 at 04:02:42PM -0700, Talbert, Britt USA wrote:
> 1) How do I put the file into a format (capture format) so that
> tethereal will understand?
Get a sufficiently recent version of libpcap/WinPcap, and using it,
write a program that:
calls "pcap_open_dead()" (you need a sufficiently recent version
so it *has* that function) with a "linktype" of DLT_C_HDLC and a
"snaplen" of 65535;
uses the "pcap_t" you get back from that call in a call to
"pcap_dump_open()";
for each frame it reads from the PCI card:
assembles the contents of the frame in memory, *with all the
bit-stuffing and 01111110 framing stuff stripped out* (as
Tethereal expects that to have been done);
fills in a "struct pcap_pkthdr" with the current time as the
time stamp and the number of bytes in the frame (with the
bit-stuffing and framing stuff removed) as the len and
caplen;
calls "pcap_dump()" with the "pcap_dumper_t" returned by
"pcap_dump_open()" as the first argument, a pointer to the
"struct pcap_pkthdr" as the second argument, and a pointer
to the packet data as the third argument;
calls "pcap_dump_close()" on the "pcap_dumper_t" when the last
packet has been seen.
> a. The problem with that is that I will be handing tethereal
> 1-byte size files on a continual basis.
Tethereal can't handle that.
> 2) How can I pipe the data to tethereal before putting it in a
> file?
What do you mean by "before"?
You could pipe it to Tethereal and have *it* write it to a file:
yourprogram | tethereal -i - -w filename
Another alternative would be to, instead of writing a program, modify
libpcap to be able to read from your device. It'd still strip out the
bit-stuffing and framing, and construct a "struct pcap_pkthdr", but it'd
hand them to the application using libpcap.
See "pcap-bpf.c" or "pcap-linux.c" in libpcap 0.8 or WinPcap 3.1 beta
for an example of how to hook into the open routine on whatever platform
you're doing this - see the code in "pcap_open_live()" inside "#ifdef
HAVE_DAG_API"/"#endif". That code checks whether the name of the device
being opened has "dag" in it and, if so, calls the routine for opening
Endace DAG devices. You'd have to pick some other string that your
device would have in its name but no network interface would have, or
figure out some other way to distinguish your device from a network
interface.
The actual code for your device would work somewhat similarly to the DAG
code in "pcap-dag.c" in libpcap 0.8 or WinPcap 3.1 beta. (You'd have to
modify one of those versions or a later version.)
With something such as that, tcpdump/WinDump or Ethereal or Tethereal or
Snort or... could itself capture on your device.
> The documentation says that tethereal supports Cisco HDLC.
It does, but note that "supports Cisco HDLC" means "supports dissecting
Cisco HDLC frames, if they're being read from a capture file, in one of
the formats Ethereal/Tethereal supports, with a link-layer type in the
file that Ethereal can recognize as Cisco HDLC, and if the frames have
been stripped of all their bit-stuffing and framing stuff".
