This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am trying to add my own Encapsulation type. I've already wrote my dissector and done all steps needed to add an encapsulation value (as described here : http://ask.wireshark.org/questions/12660/where-to-find-documentation-of-writing-an-encapsulated-file-reader). Now what I want to know is frome where and who send the encapsulation value ?

Thanks

asked 22 Nov '13, 06:34

Afrim's gravatar image

Afrim
160101116
accept rate: 22%

Thank you both for your answers.

Is there a way to avoid the call of any encapsulation and, instead, to call my dissector ?

Currently I am forcing all frames to call my dissector which imply that all frames captured will be dissected by my dissector. I am restricting Wireshark to my dissector which is not what I want.

(27 Nov '13, 02:43) Afrim

thinking again about your question, I'm not sure we are really talking about encapsulation types.

  • So, how does your protocol look like?
  • Is it IP based?
  • How do you generate the capture file?
  • More generally, how do you capture that private protocol?

Maybe there is another solution for you.

(27 Nov '13, 06:09) Kurt Knochner ♦

It's a custom 802.15.4-2011 protocol based on both amendment(g and e) and some private field. My company works on the protocol so we can generate .pcap by using a hardware sniffer.

I thought encapsulation was what I needed but I am fine if there is another solution.

(27 Nov '13, 07:13) Afrim

Now what I want to know is frome where and who send the encapsulation value ?

the encapsulation type originates from the capturing library/subsystem. In the case of Wireshark that's libpcap or WinPcap (Windows 'port' of libpcap). dumpcap gets that value during the capture phase by calling pcap_datalink().

See here:

http://www.tcpdump.org/linktypes.html
http://wiki.wireshark.org/Development/LibpcapFileFormat

Regards
Kurt

permanent link

answered 22 Nov '13, 07:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Nov '13, 15:02

Is there a way to avoid the call of any encapsulation and, instead, to call my dissector ?

You can use the DLT_USER feature of Wireshark to call your dissector for a certain encapsulation type.

Edit -> Preferences -> Protocols -> DLT_USER -> Encapsulation Table

Then add the user defined DLT that is used in the pcap file and 'bind' that to your dissector.

See here for a simple example

http://wiki.wireshark.org/HowToDissectAnything

(27 Nov '13, 05:11) Kurt Knochner ♦
1

It's a custom 802.15.4-2011 protocol based on both amendment(g and e) and some private field. My company works on the protocol so we can generate .pcap by using a hardware sniffer.

O.K. in that case you need your own encapsulation type. See the links I posted (how to request your own DLT from tcpdump-workers) and the answer of @Guy Harris regarding the same issue.

(27 Nov '13, 07:27) Kurt Knochner ♦

I know about DLT_USER but I'm not sure i can use it.
I had to used DLT_USER cause I had to sniff over an USB interface and Wireshark does not support this interface (in windows) so I used a C# code as a pipe where I could define a dlt value. In this case all frames had a DLT value.
Now we have a hardware sniffer who can generate .pcap files so DLT_USER is no longer a viable solution cause :
1. I'll have to convert each file to dlt 147(assuming we use DLT_USER0)
2. Ftm I don't know how to set link_layer value to 147 for live traffic.

I hope it's enough clear for you.

(27 Nov '13, 07:47) Afrim
  1. Ftm I don't know how to set link_layer value to 147 for live traffic.

How do you actually capture the traffic? By using a modified version of libpcap or by crating the pcap data structure yourself (within the hardware sniffer)?

In libpcap you can set the link layer type by calling pcap_set_datalink()

(27 Nov '13, 07:54) Kurt Knochner ♦
1

I know about DLT_USER but I'm not sure i can use it.

If your company wants to sell a product, you should NOT use it, as we will NEVER ship a version of Wireshark that assigns a particular meaning to ANY DLT_USER value - that defeats the whole point of the DLT_USER values, which is to let specific organizations and individuals use DLT_USER values as they choose without having to worry about interfering with standard DLT_/LINKTYPE_ values.

If you want your product to be conveniently usable with Wireshark, you MUST either:

  1. use one of the existing 802.15.4 link-layer header type values, as shown on the tcpdump.org link-layer header types page or:

  2. if those won't work, ask [email protected] for a new LINKTYPE_/DLT_ value for your encapsulation of 802.15.4, and, when that has been assigned, use that.

(27 Nov '13, 12:07) Guy Harris ♦♦

@Kurt Knochner: I don't really know but I guess I can found these information in the sniffer.

@Guy Harris: Ok now I understand. Thanks.

(28 Nov '13, 05:57) Afrim

O.K. if the 'hardware sniffer' is not your product (that's what I understood in the first place), you need to either ask the vendor to use a special encapsulation type, or you need to convert the capture file created by that hardware sniffer to whatever format you may need.

(28 Nov '13, 06:58) Kurt Knochner ♦

Yes, the hardware is provided with some option I'll try to find any encapsulation type info before asking anything.

(29 Nov '13, 03:50) Afrim

O.K., so your problem is 'twofold'

  1. You need to convince the sniffer manufacturer to create the capture file in a certain way to support your own protocol (good luck with that one ;-)). BTW: I'm just curious. How is the vendor of that sniffer hardware?
  2. You need to build your dissector in a what that it only dissects packets with a certain encapsulation type, which is much easier than problem #1, as that is something you can do yourself.
(29 Nov '13, 05:18) Kurt Knochner ♦

In fact the hard is our product and we can ask for new feature (we have already done).

FTM we are investigating the sniffer cause we have some issues with the traffic capture.

(02 Dec '13, 03:56) Afrim

O.K. are there any further questions?

(02 Dec '13, 03:59) Kurt Knochner ♦

No thank you I appreciated your help :)

(02 Dec '13, 15:55) Afrim

O.K.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(02 Dec '13, 16:19) Kurt Knochner ♦
showing 5 of 13 show 8 more comments

Now what I want to know is frome where and who send the encapsulation value ?

The encapsulation type is set by the module in libwiretap that reads whatever type of file it's reading.

Wireshark requires, for all encapsulation types, that it be supported by some type of file.

If you're adding a new encapsulation type to Wireshark's native file formats, pcap and pcap-ng, either you should use one of the "reserved for users" types, if you don't plan to send those files outside whatever organization you belong to, or you should request a new LINKTYPE_/DLT_ value from [email protected]; DO NOT just pick a value and use it, as whatever value you use might get officially used for some other encapsulation, and Wireshark will support that other encapsulation, NOT your encapsulation.

permanent link

answered 22 Nov '13, 12:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×14
×14

question asked: 22 Nov '13, 06:34

question was seen: 8,340 times

last updated: 02 Dec '13, 16:19

p​o​w​e​r​e​d by O​S​Q​A