Wireshark-dev: Re: [Wireshark-dev] Custom link layer type for logging additional data
On Nov 26, 2014, at 8:18 PM, Anil <anilkumar911@xxxxxxxxx> wrote:
> Hi,
>
> During packet capture, I want to log additional data other than what's in the ethernet packet and the per packet pcap header. So, I have created a custom header and am logging additional information into this.
>
> I have modified pcap_to_wtap_map[] to add another mapping to add another link type.
And you registered the LINKTYPE_ value that you're using as an index into that array with tcpdump-workers@xxxxxxxxxxxxxxxxx, right? As the comment before that array says:
/*
* Map link-layer header types (LINKTYPE_ values) to Wiretap encapsulations.
*
* Either LBL NRG wasn't an adequate central registry (e.g., because of
* the slow rate of releases from them), or nobody bothered using them
* as a central registry, as many different groups have patched libpcap
* (and BPF, on the BSDs) to add new encapsulation types, and have ended
* up using the same DLT_ values for different encapsulation types.
*
* The Tcpdump Group now maintains the list of link-layer header types;
* they introduced a separate namespace of LINKTYPE_ values for the
* values to be used in capture files, and have libpcap map between
* those values in capture file headers and the DLT_ values that the
* pcap_datalink() and pcap_open_dead() APIs use. See
* http://www.tcpdump.org/linktypes.html for a list of LINKTYPE_ values.
*
* In most cases, the corresponding LINKTYPE_ and DLT_ values are the
* same. In the cases where the same link-layer header type was given
* different values in different OSes, a new LINKTYPE_ value was defined,
* different from all of the existing DLT_ values.
*
* This table maps LINKTYPE_ values to the corresponding Wiretap
* encapsulation. For cases where multiple DLT_ values were in use,
* it also checks what <pcap.h> defineds to determine how to interpret
* them, so that if a file was written by a version of libpcap prior
* to the introduction of the LINKTYPE_ values, and has a DLT_ value
* from the OS on which it was written rather than a LINKTYPE_ value
* as its linktype value in the file header, we map the numerical
* DLT_ value, as interpreted by the libpcap with which we're building
* Wireshark/Wiretap interprets them (which, if it doesn't support
* them at all, means we don't support them either - any capture files
* using them are foreign, and we don't hazard a guess as to which
* platform they came from; we could, I guess, choose the most likely
* platform), to the corresponding Wiretap encapsulation.
*
* Note: if you need a new encapsulation type for libpcap files, do
* *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
* add a new encapsulation type by changing an existing entry;
* leave the existing entries alone.
*
* Instead, send mail to tcpdump-workers@xxxxxxxxxxxxxxxxx, asking for
* a new LINKTYPE_/DLT_ value, and specifying the purpose of the new
* value. When you get the new LINKTYPE_/DLT_ value, use that numerical
* value in the "linktype_value" field of "pcap_to_wtap_map[]".
*/
If you do not request a value from tcpdum-workers@xxxxxxxxxxxxxxxxx, but instead choose your own value, none of your changes to Wireshark adding that value will ever be accepted. You ***MUST*** first get an official value.