Wireshark · Wireshark-dev: Re: [Wireshark-dev] Direction definition on packet bus with no direction info in packet header

[Andrew Lonsdale <calonsdale1@xxxxxxxxx>]

Many thanks to Martin and Guy for the feedback on this thread.

I have implemented option 3 for the time being just to test my dissector and move forwards, but I like the idea of a psuedo-wrapper around the packet with some additional flags, so I'll investigate this
on the next spin.

Really appreciate the guidance.

Kind Regards
Andrew

On Wed, Oct 24, 2012 at 4:02 PM, Andrew Lonsdale <calonsdale1@xxxxxxxxx> wrote:

Hi Folks,

I'm writing a dissector for an interface which doesn't indicate direction of data flow in the packet headers. I currently capture separate files in pcapng format for uplink and downlink (separate streams), but I could merge the two into a file. Currently I just open one file and merge the other in Wireshark itself.

It would be useful to be able to indicate in the PROTOCOL column if a packet is an uplink or downlink packet, and I have four possible methods in mind:

1) Have two different DLT's, one for uplink and one for downink, and effectively treat the two as separate interfaces. This is probably easiest but seems heavy handed.

2) I have been looking into setting the epb_flags option in the EHB blocks to indicate uplink and downlink, but I can't find out how to access that field of data in my dissector.

3) Add an opt_comment with known text ("UP" or "DN") and parse for that text during dissection. Easy to implement but a bit clunky.

4) Fiddle with a reserved bit in the packet header. This feels like a bad thing to do as it alters the item under test.

Method 2 feels like it would be the right thing to do, and 3 looks like the easiest.

Is there a preferred way of dealing with this issue, and does anyone have any observations about what I am trying to do ?

Kind Regards
Andrew