Hi, I am trying to add my own Encapsulation type. I've already wrote my dissector and done all steps needed to add an encapsulation value (as described here : http://ask.wireshark.org/questions/12660/where-to-find-documentation-of-writing-an-encapsulated-file-reader). Now what I want to know is frome where and who send the encapsulation value ? Thanks asked 22 Nov '13, 06:34  Afrim |
2 Answers:
the encapsulation type originates from the capturing library/subsystem. In the case of Wireshark that's libpcap or WinPcap (Windows 'port' of libpcap). dumpcap gets that value during the capture phase by calling pcap_datalink(). See here:
Regards answered 22 Nov '13, 07:25  Kurt Knochner ♦ edited 22 Nov '13, 15:02
You can use the DLT_USER feature of Wireshark to call your dissector for a certain encapsulation type.
Then add the user defined DLT that is used in the pcap file and 'bind' that to your dissector. See here for a simple example (27 Nov '13, 05:11) Kurt Knochner ♦ 1
O.K. in that case you need your own encapsulation type. See the links I posted (how to request your own DLT from tcpdump-workers) and the answer of @Guy Harris regarding the same issue. (27 Nov '13, 07:27) Kurt Knochner ♦ I know about DLT_USER but I'm not sure i can use it. I hope it's enough clear for you. (27 Nov '13, 07:47) Afrim
How do you actually capture the traffic? By using a modified version of libpcap or by crating the pcap data structure yourself (within the hardware sniffer)? In libpcap you can set the link layer type by calling pcap_set_datalink() (27 Nov '13, 07:54) Kurt Knochner ♦ 1
If your company wants to sell a product, you should NOT use it, as we will NEVER ship a version of Wireshark that assigns a particular meaning to ANY DLT_USER value - that defeats the whole point of the DLT_USER values, which is to let specific organizations and individuals use DLT_USER values as they choose without having to worry about interfering with standard DLT_/LINKTYPE_ values. If you want your product to be conveniently usable with Wireshark, you MUST either:
(27 Nov '13, 12:07) Guy Harris ♦♦ @Kurt Knochner: I don't really know but I guess I can found these information in the sniffer. @Guy Harris: Ok now I understand. Thanks. (28 Nov '13, 05:57) Afrim O.K. if the 'hardware sniffer' is not your product (that's what I understood in the first place), you need to either ask the vendor to use a special encapsulation type, or you need to convert the capture file created by that hardware sniffer to whatever format you may need. (28 Nov '13, 06:58) Kurt Knochner ♦ Yes, the hardware is provided with some option I'll try to find any encapsulation type info before asking anything. (29 Nov '13, 03:50) Afrim O.K., so your problem is 'twofold'
(29 Nov '13, 05:18) Kurt Knochner ♦ In fact the hard is our product and we can ask for new feature (we have already done). FTM we are investigating the sniffer cause we have some issues with the traffic capture. (02 Dec '13, 03:56) Afrim O.K. are there any further questions? (02 Dec '13, 03:59) Kurt Knochner ♦ No thank you I appreciated your help :) (02 Dec '13, 15:55) Afrim O.K. Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. (02 Dec '13, 16:19) Kurt Knochner ♦ showing 5 of 13 show 8 more comments |
The encapsulation type is set by the module in libwiretap that reads whatever type of file it's reading. Wireshark requires, for all encapsulation types, that it be supported by some type of file. If you're adding a new encapsulation type to Wireshark's native file formats, pcap and pcap-ng, either you should use one of the "reserved for users" types, if you don't plan to send those files outside whatever organization you belong to, or you should request a new LINKTYPE_/DLT_ value from [email protected]; DO NOT just pick a value and use it, as whatever value you use might get officially used for some other encapsulation, and Wireshark will support that other encapsulation, NOT your encapsulation. answered 22 Nov '13, 12:30  Guy Harris ♦♦ |
Thank you both for your answers.
Is there a way to avoid the call of any encapsulation and, instead, to call my dissector ?
Currently I am forcing all frames to call my dissector which imply that all frames captured will be dissected by my dissector. I am restricting Wireshark to my dissector which is not what I want.
thinking again about your question, I'm not sure we are really talking about encapsulation types.
Maybe there is another solution for you.
It's a custom 802.15.4-2011 protocol based on both amendment(g and e) and some private field. My company works on the protocol so we can generate .pcap by using a hardware sniffer.
I thought encapsulation was what I needed but I am fine if there is another solution.