This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is Wireshark the right tool to inspect custom capture files?

0

I'm a bit overwhelmed by the Wireshark jargon and docs, but please bare with me. :) I am considering using Wireshark to inspect rather specific capture files of the following structure:

  • consists of a sequence of equal-size frames
  • each frame has a header and a payload
  • the payload consists of segments of variable-length packets (packets may span multiple frames, but a frame may contain multiple packets)

I assume I would be able to:

  • inspect frame header values
  • inspect packet header values
  • filter frames and packets depending on individual header values

So:

  1. am I looking at the right tool for the job?
  2. is there a better (FOSS) tool to build on top of, for this particular scenario?
  3. do I need to write a plugin (in C, Lua...) or is it a matter of configuration?

asked 18 May '15, 08:33

Tomislav's gravatar image

Tomislav
11114
accept rate: 0%


2 Answers:

2

There is already support for CCSDS frames in Wireshark, so it's probably the right tool for you ;-)

However, I'm not sure how much of it has actually been implemented. If you have a sample capture file, try to open it with Wireshark and check what you get.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3243
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9517

If there is something missing, you can

  • file an enhancement request at https://bugs.wireshark.org and hope that somebody has the know-how, time and interest to implement it for you
  • take a look at Wireshark Generic Dissector (wsgd) - http://wsgd.free.fr (Unfortunately the site seems to be down !?!)

Regards
Kurt

answered 18 May '15, 08:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 May '15, 10:57

wsgd.free.fr seems to be back online.

(18 May '15, 10:02) Guy Harris ♦♦

Still errors....

Erreur 500 - Erreur interne du serveur

(18 May '15, 10:54) Kurt Knochner ♦

Weird. It worked just now for me; perhaps they're having server problems, and, 23 minutes ago, it wasn't working, but it's OK now.

(18 May '15, 11:18) Guy Harris ♦♦

No, it was, I guess, using stuff locally cached in my browser; I did a reload and got that error.

(18 May '15, 11:19) Guy Harris ♦♦

CCSDS support already available?! Wow. Hadn't even crossed my mind as a possibility...will take a look at how it fares with my sample data first thing tomorrow!

(18 May '15, 12:54) Tomislav

Hadn't even crossed my mind as a possibility

Yes, it's insane how many exotic/esoteric protocols Wirshark supports. That makes it a superior tool ;-)

(18 May '15, 13:29) Kurt Knochner ♦

Check this out, or this.

(18 May '15, 14:15) Jaap ♦

Lots of interesting reading here, thanks everyone! Still, a raw file with CCSDS CADU frames doesn't appear to be a valid Wireshark "capture file": upon inspection, sample CCSDS capture files attached to one of the bug tracker issues obviously have a lot of dumpcap metadata, so I'm not sure how to "convert" the files I've got (as described above) to a capture file format that Wireshark can load. :| Any pointers, before I marke the question as answered?

(19 May '15, 01:01) Tomislav

I see a Link layer type on the horizon, cue Guy Harris. ;)

(19 May '15, 04:17) Jaap ♦

Or, if there's a good way to recognize those raw files, just add the ability to recognize and read those files to Wireshark's libwiretap library. The capture files in question have either Network General Sniffer metadata (not produced by dumpcap) or pcap-ng metadata (not unique to dumpcap), because they're packet capture files in that format; they contain Ethernet frames with CCSDS packets, detected by some heuristics. We also support dissecting CCSDS packets in VCDUs, with the VCDUs encapsulated in UDP packets, and CCSDS packets in Enhanced HOSC System packets, with the EHS packets encapsulated in UDP packets.

(19 May '15, 12:05) Guy Harris ♦♦

(For what it's worth, wsgd.free.fr appears to be back now.)

(19 May '15, 12:24) Guy Harris ♦♦
showing 5 of 11 show 6 more comments

0

This is getting enough past the "straightforward question" layer that it's probably best discussed on the wireshark-dev mailing list. ask.wireshark.org is better thought of as a "crowdsourced FAQ" than as a discussion forum like the mailing lists.

The solution would probably involve code to read the raw files (if they consist of a sequence of the packets described in "Packet Format" in the document you cite, with each packet beginning with the sync word 1A CF FC 1D, it probably won't be hard to recognize files in the format), and code to parse the information wrapped around the CCSDS packets. Some or all of that could perhaps be written in Lua rather than C, at least for an initial implementation.

answered 19 May '15, 16:31

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you Guy, if I need to push the discussion further, I'll move it to the list.

(26 May '15, 00:03) Tomislav