Hello everyone, I'm trying to log RRC messages. There are few RRC protocols: "rrc.ul.ccch" "rrc.dl.ccch" "rrc.ul.dcch" "rrc.dl.dcch" I'm getting all kind of messages, one after the other, and I want to use wireshark as a log to all the messages that I've captured. Meaning, I want to create one file that will hold all the messages received in the protocols above, in the same order they were received. I dont listen on any interface but I have an internal system that gives me the bytes of the messages, and I have a way to tell which message correspond to which protocol. I created a DLT_USER for each protocol and I parse the bytes using text2pcap according to the suitable message received. (text2pcap -l DLT_USER textfilewithbytes) Now, I want to merge file with 2 (or more) types of protocols to one single file. mergecap won't let me do that. The way I understand it, mergecap doesnt like it when I try to merge different DLT_USER's (which specify different protocols) to one file. What am I missing? Is it possible to have one file with multiple DLT_USER's in it? How can I verify that I'm creating pcapNG and not just regular libpcap? Thanks a lot, Dor P.S. I have the most updated WireShark installed. asked 21 Apr '13, 08:27  DorZ |
One Answer:
I think there can only be one DLT per interface in PCAP_NG, you could try to crate an IDB per DLT or add some psedo data for your user DLT indicatin the next protocol and write a dissector for the DLT. answered 22 Apr '13, 07:08  Anders ♦ |
Hi Andres, Thanks for taking the time to answer. Actually, I AM trying to do just as you said. i.e, creating a new dissector (with LUA) that will dissect the packet according to the packet. But, When Im using DissectorTable.get(..), whatever string I put there I get an error 'no such dissector table' (I tried "ip.proto", "ethertype", "tcp.port", "udp.port". nothing worked).
Do you have any idea why?
Thanks, Dor