Wireshark-dev: [Wireshark-dev] Application-layer capture files
From: Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx>
Date: Wed, 22 Sep 2010 18:00:07 -0400
Howdy,
For a few years my company's provided a free offline-tool to convert from an internal SIP message capture format of SIP messages received by our system parsers, to pcap format.  This tool does the classic trick of creating fake Ethernet+IP+UDP headers and formatting the thing as a pcap.  It made sense to do this, because it lets us capture the real IP:port info in the fake IP/UDP headers, so that wireshark displays them and the user can sort/filter based on ip and do conversation analysis, etc.  We don't want to do real raw packet captures as they're received off-the-wire, because SIP could run over TLS or IPsec and would only show encrypted data.

This all worked fine when everything was SIP over UDP over IPv4.  But SIP over TCP exists as well, and even over IPv6.  Over TCP in particular, when "capturing" at the application layer you don't have access to sequence numbers and such, and recording them as UDP packets is really misleading (and screws up).  Furthermore, we'd like to change our systems to be able to create a file format and encap type wireshark will (someday) understand natively.

I could write a patch for wireshark to handle a new WTAP_ENCAP_RAW_SIP_SOCKET or some such, with a small header that records the ip:port:transport info we do have at the app layer, and dissector that handles that before calling SIP's dissector.  But it occurs to me we can't be the first ones with this problem - things like HTTP and other application layer parsers/apps must want the ability to "capture" into a file like pcap at their layer too, so is there some existing solution (encap format, file format, dissector, whatever) that I'm overlooking?  I've tried to check the source code of every one that looks like it might do it, but I can't find one.

-hadriel