Suppose I have a list of packets which will be written as PCAP file. The packets contains 8 bytes preamble. Currently I don't write those 8 bytes to the PCAP. I am just wondering if it is possible to write preamble to the PCAP? Thanks. asked 13 Mar '13, 10:52 kintaro |
2 Answers:
Note there's a link type which has all this included: LINKTYPE_NETANALYZER_TRANSPARENT, see the TCP dump site. answered 13 Mar '13, 14:06 Jaap ♦ showing 5 of 6 show 1 more comments |
I don't think it is possible, because Wireshark will try to interpret the 8 bytes as part of the packet contents, which they are not. Why would you want to write the preamble to file anyway? Usually it's always the same pattern, and not very interesting unless you have a jabber going on. So no, Wireshark can not display the preamble. answered 13 Mar '13, 11:02 Jasper ♦♦ edited 13 Mar '13, 11:03 The reason is that my PFGA can give me the whole packet (including the preamble) and I would like to display it in the PCAP file. (13 Mar '13, 11:21) kintaro PCAP does not include preambles, so if you need to keep them for any reason you cannot use PCAP. Maybe some other format can do this, but I don't think any commercial or open source format does. I know that the Network General CAP format has some features that go beyond what PCAP can do, but it is not well documented. (13 Mar '13, 11:50) Jasper ♦♦ pcap/pcap-ng files can, as long as there's a link-layer header type for it, contain, for example, Ethernet packets with the preamble. See Jaap's answer. A pcap file, or packets from a pcap-ng interface, with a link-layer header type of LINKTYPE_ETHERNET (corresponding to DLT_EN10MB) can't contain the preamble, but, as Jaap noted, a pcap file, or packets from a pcap-ng interface, with a link-layer header type of LINKTYPE_NETANALYZER_TRANSPARENT can - and, in fact, must - include a preamble (and the FCS). They must also include a pseudo-header giving some flags. (13 Mar '13, 15:23) Guy Harris ♦♦ this shows once again that one never stops learning new stuff... I didn't know that. Maybe we should uncheck my answer and accept Jaaps answer instead? I'd be fine with that, it's the better one. (13 Mar '13, 15:27) Jasper ♦♦ |
Ok. Let me try. Thanks.
Note that you'll have to include, in addition to the preamble, the 4-byte header described on the tcpdump.org page for LINKTYPE_NETANALYZER.
Note also that, currently, the entire payload for LINKTYPE_NETANALYZER_TRANSPARENT is dissected as raw data; it doesn't show the preamble and SFD and then dissect the rest as an Ethernet frame.
I try to save the file as network type 241 (LINKTYPE_NETANALYZER_TRANSPARENT) but wireshark shows error:
"Files capture.pcap is a capture for a network type that Wireshark doesn't support. (pcap: network type 241 unknown or unsupported).
Any idea why?
Because you're using a version of Wireshark that's too old to support LINKTYPE_NETANALYZER_TRANSPARENT. You need Wireshark 1.8 or later.
Cool. It works. You are right, it won't decode the payload as Ethernet frame. Are we going to implement that in the future?
The reason why the Hilscher people didn't do that is, to quote a comment in their code:
However, "normally" doesn't mean "always", and, even then, I'm not sure what for what sort of "low-level analysis" it would be better not to dissect the Ethernet packet at all. We should probably change that at some point.