This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Feeding the 802.15.4 Dissector

0

Hello, I'm using Wireshark to read from a pipe and i'm using the native IEEE 802.15.4 dissector, but I'm having trouble feeding Wireshark the proper bytes. I've tried to search but I can't find the right sequence of bytes the dissector is waiting.

Can anyone help me? Thanks in advance.

asked 29 Jul '13, 07:48

funguy's gravatar image

funguy
11112
accept rate: 0%

One Answer:

0

802.15.4 dissector does following in proto_reg_handoff_ieee802154:

dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4, ieee802154_handle);
dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4_NONASK_PHY, ieee802154_nonask_phy_handle);
dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4_NOFCS, ieee802154_nofcs_handle);
dissector_add_uint("sll.ltype", LINUX_SLL_P_IEEE802154, ieee802154_handle);

If you look into wiretap/pcap-common.c you will find that following linktypes are assigned for the WTAP_ENCAP_ defines:

/* IEEE 802.15.4 Wireless PAN */
{ 195, WTAP_ENCAP_IEEE802_15_4 },
...
/* IEEE 802.15.4 Wireless PAN non-ASK PHY */
{ 215, WTAP_ENCAP_IEEE802_15_4_NONASK_PHY },
...
/* IEEE 802.15.4 Wireless PAN no fcs */
{ 230, WTAP_ENCAP_IEEE802_15_4_NOFCS },

Now, get over to the tcpdump linktypes [1] and check the descriptions for 195, 215, 230. Choose the one that is closest match to your data and then set that number as linktype in pcap header.

[1] http://www.tcpdump.org/linktypes.html

answered 30 Jul '13, 22:34

desowin's gravatar image

desowin
262
accept rate: 0%