Wireshark-dev: Re: [Wireshark-dev] rs232 dissection?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 11 Feb 2012 13:07:56 -0800
On Feb 10, 2012, at 1:10 PM, Guy Harris wrote:

> As for the file format, you could:
> 
> 	use one of the USERn link-layer type values in a pcap or pcap-NG file, and set up your dissector to handle that USERn type;
> 
> 	get a link-layer header type value officially assigned, by sending a request to tcpdump-workers@xxxxxxxxxxxxxxxxx (and supplying a description of the packet format or a link to that specification), use it in a pcap or pcap-NG file, add a WTAP_ENCAP_ value for your packets, and modify Wireshark to map that link-layer header type value to the WTAP_ENCAP_ value, and have your dissector register for that WTAP_ENCAP_ value;
> 
> 	use your own file format, add a WTAP_ENCAP_ value for your packets, add code to read that file format using that WTAP_ENCAP_ value,  and modify Wireshark to map that link-layer header type value to the WTAP_ENCAP_ value, and have your dissector register for that WTAP_ENCAP_ value.

	...

> I'd recommend the first or second - the first if you're only using it yourself, the second if you want to exchange captures with other people.

The one reason to go for the third option would be if you've already created the new file format and are writing files out in that format.