I work with a TCP/IP monitoring tool that runs on IBM z/OS mainframes. My product can capture packets created by a TCP/IP stack that also runs under z/OS. IPCS can convert such a file to a format compatible with Wireshark. We would like to avoids using IPCS and do the conversion within our product. Is there code available that we can imbed into our monitor that will do the file conversion?
asked 23 Oct '17, 11:39
Is this sufficient information to allow you to directly store the captured data in Wireshark-compatible format, rather than doing a conversion?
Any code you ask for would only cover the "store as pcapng" part but you would have to provide the "receive data from the capturing engine" part, which to me is roughly the same amount of work as to generate the file format directly.
Just to tell the full story, in addition to the advantages of pcap-ng over pcap, there is also a certain drawback of use of pcap-ng format - as of now, Wireshark still cannot read it from a pipe, but I guess this should not be of any importance for your use case (and I also hope it is not going to last forever).
answered 23 Oct '17, 12:25
You could also contribute code to Wireshark that allows it to read files in your format - assuming "your format" can be represented as a stream of bytes.
That means that if it's a bunch of count+data records in some z/OS access method, you'd have to represent it, to make it readable by UN*X and Windows systems, whose file systems store files as seekable byte dreams, as a sequence of records with N bytes of count followed by the bytes of data in the record.
answered 24 Oct '17, 11:32
Guy Harris ♦♦