This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

which protocol to use for decoding a pcap

0

Hi,

I have a .pcap file containing data of some protocol not already implemented in wireshark. While importing this pcap file into wireshark how will the wireshark know which protocol dissector to use for decoding the data?? I didn't find any field for such information in .pcap file format.

asked 03 Feb '12, 10:12

ashish_goel's gravatar image

ashish_goel
15121216
accept rate: 0%

One Answer:

1

(I'm assuming here that the protocol is the lowest-level protocol in the packets, just as, for example, IEEE 802.3 Ethernet would be the lowest-level protocol in an Ethernet capture file. If not, then there is no field in pcap files for higher-level protocols; either the protocol running below your protocol must have a field that specifies the next protocol - for example, the Ethernet type field in Ethernet packets - or it must always have the same protocol as the next protocol or must have some other way to specify the next protocol. In the first case, you'd have to register a dissector table for that field and use that; in the second case, the dissector for your protocol would always call the next protocol's dissector; in the third case, you'd probably need a preference to specify the next protocol.)

The field in question is the network field in the file header in the pcap file format and the LinkType field in an Interface Description Block record in the pcap-NG file format.

The values used in that field are the same in pcap and pcap-NG format. Those values are assigned by the Tcpdump Group by sending a request to [email protected] The current set of values is described by the list of link-layer header types at the Tcpdump Group's Web site.

However, those values are, within Wireshark, only known by the module in the Wiretap library (the library that reads capture files) that is common to pcap and pcap-NG files; that module is in the wiretap/pcap-common.c file. The rest of Wireshark has its own set of packet-type encapsulation values, and maps the link-layer header-type values for various capture file formats into those values. A dissector would register itself for a particular packet-type encapsulation value with a call to dissector_add_uint(), the first argument of which would be "wtap_encap", and the second argument of which would be the Wireshark encapsulation type value (NOT the link-layer type value assigned by the Tcpdump Group!).

You have two choices here:

  1. use one of the "reserved" values in the range 147 through 162 - LINKTYPE_USER0 through LINKTYPE_USER15 - and change the preference for the corresponding DLT_ value - DLT_USER0 through DLT_USER15 - in the DLT_USER protocol preference to use your protocol;
  2. request a standard LINKTYPE_ value from [email protected] and, once it's assigned, add a WTAP_ENCAP_ value for it (if there isn't already one), and modify the pcap_to_wtap_map[] table in wiretap/pcap-common.c to map the assigned LINKTYPE_ value to the corresponding WTAP_ENCAP_ value.

answered 03 Feb '12, 10:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

hi guy, thanx for the quick reply. My protocol is the lowest level protocol running and it is running independently without any upper and lower protocol.

But how do I proceed with writing the dissector?? I mean suppose I proceed with using one of the user defined value 150 for my dissector. I edit the entry in pcap_to_wtap_map[] corresponding to number 150 and change it to "WTAP_ENCAP_XYZ" where XYZ is my protocol. Then how is this WTAP_ENCAP_XYZ mapped to my protocol dissector. I mean while defining my protocol dissector, do I include this "WTAP_ENCAP_XYZ" anywhere??

(03 Feb '12, 11:16) ashish_goel
1

150 is LINKTYPE_USER3/DLT_USER3, so it would be mapped to WTAP_ENCAP_USER3; if you use the USERn values, you don't need to define your own WTAP_ENCAP_ values. However, if you use one of the USERn values, you are only guaranteed to be able to use it within your own organization; some other organization, including an organization to whom you provide your version of Wireshark, might already be using LINKTYPE_USER3 for their own purposes.

(03 Feb '12, 11:44) Guy Harris ♦♦

Thanx guy. I know if I am using this DLT value, it can clash with some other organization's version. So requesting a standard link type is the solution for this?

One more doubt, where and how am I supposed to map my protocol dissector with this WTAP_ENCAP_USER3. What I mean to ask is how wireshark will know that it has to use my protocol dissector for a .pcap containing value 150 in the network field.

(04 Feb '12, 02:28) ashish_goel

Hi, I read the HowtoDissectAnything page and found out that we can set this thing by going into prefrences->protocol->DLT_USER and here adding the entry for our protocol.

But here I am trying to add "foo" protocol which I defined by reading the wireshark developers guide. but as I try to add this protocol in payload protocol field, it throws this error "error in column 'Payload protocol': dissector not found". The protocol is present in wireshark. I can filter packets on this protocol.

(04 Feb '12, 03:35) ashish_goel

"dissector not found" doesn't mean the dissector isn't present, it means it wasn't found by name; you would have to register your dissector by name with register_dissector() in order for it to be found.

(04 Feb '12, 12:54) Guy Harris ♦♦

If you want to ensure that a capture for the "foo" protocol (or whatever it really is) could be read even at sites that are using DLT_USER3/LINKTYPE_USER3 for some other purpose, yes, you will have to request a LINKTYPE_/DLT_ value from [email protected] for that protocol.

(04 Feb '12, 16:24) Guy Harris ♦♦
showing 5 of 6 show 1 more comments