Wireshark-dev: Re: [Wireshark-dev] wslua: reading raw file?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 09 Apr 2008 11:08:29 -0700
Németh Márton wrote:

I don't really understand your point,

My point is that writing the 24-byte libpcap file header at the beginning of a file - if that's what you mean by "I created a .pcap header and copied my raw file after it" - does no good whatsoever, and will never do any good whatsoever, and *should* never do any good whatsoever, unless what follows it is a list of packets with a 16-byte libpcap packet header before the data of each packet. That header means "this is a libpcap-format file", which means that it contains a sequence of packets with libpcap-format packet headers, not just that it's something that is supposed to be read by Wireshark.

If your dissector is "on the Ethernet level", it's presumably a dissector for some link-layer network type; if you want to have Wireshark handle that link-layer network type, then, as per Luis's suggestion, you should either use one of the DLT_USERn link-layer types or ask for a DLT_ value from tcpdump-workers@xxxxxxxxxxx, convert your raw file to a libpcap-format file by putting a libpcap file header with the appropriate DLT_ value in front of the file and put an appropriate libpcap packet header int front of each packet, add a WTAP_ENCAP_ type and modify wiretap/libpcap.c to map your DLT_ to that WTAP_ENCAP type if you got a DLT_ value from tcpdump-workers, and add your dissector, having it register itself in the "wtap_encap" with WTAP_ENCAP_USERn if you're using DLT_USERn or with the new WTAP_ENCAP_ value if you've added one.

maybe I did not describe well what
I would like to do. I would like to write a dissector which is similar to
how Wireshark can open .mp3 files. The .mp3 files don't have libpcap headers
at all, but Wireshark can handle them.

If it's "similar to how Wireshark can open .mp3 files", it doesn't sound at all as if it's "on the Ethernet level" in a networking sense, so, yes, you didn't describe it well; if you're using it as a file dissector rather than a packet dissector, you should've said it was similar to the way Wireshark dissects MP3's.

My question is that is it possible to create a dissector which reads a
raw file without libpcap header?

As Luis said, you need more than a dissector. Dissectors don't know how to read Wireshark input files, they know how to dissect blobs of binary data - that way, the Ethernet dissector can dissect an Ethernet packet regardless of whether it comes from a libpcap-format file or an EtherPeek/OmniPeek file or a Sniffer file or a Microsoft Network Monitor file or....

Wireshark has, in the "wiretap" directory, a library that it uses to read input files. The Wiretap library tries opening the file as several different file types, stopping when it succeeds or fails with an operating system error, and continuing on to the next file type if it succeeds in opening the file at the OS level but finds that the file is not of the type it's trying.

Many file formats, including libpcap files, can easily be identified, as they have a "magic number" value early in the file at a fixed location. Those file types are tried first. Later formats require heuristics to try to guess whether they're in the specified format or not.

MPEG files are "magic number" files; see wiretap/mpeg.c.

You would need to write a Wiretap module for your file format; this means that either your file format *MUST* either have a magic number or that there *MUST* be some reasonably reliable way of determining whether a file is one of your files or not.

If Wireshark doesn't already have a WTAP_ENCAP_ type for the object or objects in your file format, you will need to add one.

Once you have a Wiretap module for your file format and a WTAP_ENCAP_ type for the object or objects in your file format, you could then write a dissector for the object or objects in your file format, and have it registered to handle that WTAP_ENCAP_ type.