On Feb 16, 2021, at 2:41 AM, Shai Shapira via Wireshark-dev
wrote:
> I'm researching Microsoft's Network Monitor captures format (.cap files)
Unfortunately, you probably can't download NetMon from Microsoft any more, so
you probably can't get the help file that documents the capture file format any
more.
But if you have direct questions about it, I can answer them.
> and I need a lead in WS's code.
> Based on the 'link layer type' parsed from the file header the packets might
> be 802.11 frames with NM's special header.
> This dissector is known as "netmon_802_11" in wireshark.
>
> It is the first protocol in every frame's stack and it's registration routine
> is directly to the "wtap_encap" table like so:
> dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE_802_11_NETMON,
> netmon_802_11_handle);
>
> (from packet-ieee80211-netmon.c)
>
> Could someone point me to the functoin where the actual 'call_dissector' or
> 'call_dissector_with_data' is happening for the inital layer?
It's happening in the
switch (pinfo->rec->rec_type) {
case REC_TYPE_PACKET:
if ((force_docsis_encap) && (docsis_handle)) {
dissector_handle = docsis_handle;
} else {
/*
* XXX - we don't use
dissector_try_uint_new()
* because we don't want to have to
* treat a zero return from the
dissector
* as meaning "packet not accepted,
* because that doesn't work for
* packets where libwiretap strips
* off the metadata header and puts
* it into the pseudo-header, leaving
* zero bytes worth of payload. See
* bug 15630.
*
* If the dissector for the packet's
* purported link-layer header type
* rejects the packet, that's a sign
* of a bug somewhere, so making it
* impossible for those dissectors
* to reject packets isn't a problem.
*/
dissector_handle =
dissector_get_uint_handle(wtap_encap_dissector_table,
pinfo->rec->rec_header.packet_header.pkt_encap);
}
if (dissector_handle != NULL) {
guint32 save_match_uint =
pinfo->match_uint;
pinfo->match_uint =
pinfo->rec->rec_header.packet_header.pkt_encap;
call_dissector_only(dissector_handle,
tvb, pinfo, parent_tree,
(void *)pinfo->pseudo_header);
pinfo->match_uint = save_match_uint;
} else {
col_set_str(pinfo->cinfo, COL_PROTOCOL,
"UNKNOWN");
col_add_fstr(pinfo->cinfo, COL_INFO,
"WTAP_ENCAP = %d",
pinfo->rec->rec_header.packet_header.pkt_encap);
call_data_dissector(tvb, pinfo,
parent_tree);
}
break;
code in dissect_frame() in epan/dissectors/packet-frame.c
> Also, is that dependent on the file format we are parsing (pcap/pcapmg/cap)
No. (And there are more formats than those, not that "cap" is a file format -
several *different* file formats use ".cap" as the suffix, so there's no such
thing as a ".cap file".)
> or is there a single function all eventually get to?
Yes. The libwiretap library handles differences between capture file formats,
supplying packet information in a standard fashion to libwireshark.
___
Sent via:Wireshark-dev mailing list
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
