This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Standardized link type code for unix sockets/file handles

0

I'm writing a utility which uses SSH as the transport, much like Git uses SSH for pushes. Additionally I wrote a utility which executes a command and then captures the STDIN, STDOUT, and STDERR to the executed command. The capture utility currently writes the dump file so that it appears as a RAW link type and UDP packets.

Is it possible to create a new link type code for raw file handles?

I'm envisioning a packet structure which contains:

4 byte file descriptor 1 byte (0x01 == read data, 0x02 == write data, 0x03 == UTF8 error message) 3 byte errno code (if error) ? byte data

This would remove the confusion of the source/destination IP address and ports when I send the capture to co-workers. It would also allow future development to create a Follow Shell session for file descriptors STDIN_FILENO, STDOUT_FILENO, and STDERR_FILENO much like the follow TCP or follow UDP features.

asked 26 Oct '13, 21:48

syzdek's gravatar image

syzdek
11223
accept rate: 0%


2 Answers:

0

I wrote a utility which executes a command and then captures the STDIN, STDOUT, and STDERR to the executed command.

Here is how I understand what you are trying to do.

  • You are capturing/recording the raw data (payload) of STD*
  • You write that in a pcap like file structure
  • You have a data structure to distinguish the three STD* 'channels'
  • You need a new link type (for what exactly)?

Here is what you could do

  • Use a user defined link layer type (DLT_USER 0-15, DLT = 147-163), see here: http://wiki.wireshark.org/HowToDissectAnything
  • Write your own dissector that is able to handle your data structure and which shows the content of the STD* 'channels' with or without 'Follow Stream' functionality (needs to be added additionally to the dissector).

If that's is not what you are trying to do:

please add more details, as I might not fully understand your intention.

Regards
Kurt

answered 27 Oct '13, 11:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

The tcpdump/libpcap folks are the ones who look after this. See here.

answered 27 Oct '13, 07:02

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

When looking at the tcpdump link types, I missed the user defined types and they were not mentioned in the PCAP Next Generation Format. I wanted a link type which would not require me to encapsulate the data within bogus IP/UDP or IP/TCP packets. Briefly scanning the linked wiki article,it appears the user defined link layer types should work perfectly. Thanks.

(28 Oct '13, 02:35) syzdek