Re: [Wireshark-dev] Questions about dev
I try this out as well. Thank you. On 11/7/06, Kukosa, Tomas <[EMAIL PROTECTED]> wrote:
Hello,I use a little bit differen solution for a similar problem.Sometimes I need to dissect proprietray protocols from tracesfiles not
supported by Wireshark.I use following way:1) convert trace file to pcap format with linktype DLT_USERx (x=0-15) simple conversion tool can be written in Perl, Python or whatever youlike2) register my dissector to WTAP_ENCAP_USERx;
dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);The advantage is that it does not need any changes (and recompilation)in Wireshark.regards, Tomas-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Neha Chahal
Sent: Tuesday, November 07, 2006 9:13 PMTo: Developer support list for WiresharkSubject: Re: [Wireshark-dev] Questions about devOn 11/7/06, Guy Harris <[EMAIL PROTECTED]
> wrote:> Neha Chahal wrote:>> > The format of the file is binary>> "Binary" isn't a format for a packet capture; there are severalcapture> file formats, all of which are binary, but they're not all the same.
> What *specific* binary format is it?>> Is this some standard format (libpcap format as used by> tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer> format, Microsoft Network Monitor format, Sun snoop format, etc.), or
is> it some format you or somebody else has created?Yes it is "not" one of these formats. The packets are in LEA binaryformat.>> > and the protocol is LEA.>> What protocol is that?
Law Enforcement Agency protocol for call tracing(lawful interceptprotocol)>> > It is a protocol at the application layer. So it is the top mostprotocol.>> What protocol does it run atop? TCP? UDP? Some other protocol?
>On top of UDP for my application.> > So I have to implement both. Is that true?>> Yes, you have to implement both read and seek_read functions.>> > So my read routine is returning the packet in wth->frame_buffer. But
I> > have not implementes the seek_read. The README.dev says "implement> > seek_read if necessary". What does this mean?>> It means that the documentation hasn't been updated to indicate that
> there's no longer a "default" seek_read routine that a file format> module can use, so modules always have to have their own seek_read> routine. (I've just checked in a change to wiretap/README.developer
to> fix that.)>> > When is it necessary?>> Always.>> > My packets dont have any transport layer headers. They are in the> > format I have specified in the dissector. So this is the way my
packet> > looks like.> >> > fixed header> > payload header> > variable length payload>> So are you saying that the *ONLY* protocol in the packet is this "LEA"
> protocol?Yes, only LEA.>> > In the dissector I have given protocol details starting from thefixed> > header. So the packet that I return in the wth->frame_buffer should
> > start from the fixed header to the end of the payload. Is this> > correct?>> Yes.>> > Where should the data offset point. At the payload header or at the> > fixed header ?
>> At the fixed header - it's the offset to which the seek_read routine> would need to seek to get the entire packet.okay.So once I am done doing these changes. How do I test my changes?
Should I do a make install. And then run tethereal on my binary file.Currently I am working on the ethereal tar, I downloaded.Thank you very much, forgive me if I sound stupid. But I am very newto ethereal/wireshark.
--Neha> ___> Wireshark-dev mailing list> Wireshark-dev@wireshark.org>
http://www.wireshark.org/mailman/listinfo/wireshark-dev>--Thanks and Regards,Neha ChahalCell- 443 207 0414___Wireshark-dev mailing list
Wireshark-dev@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-dev___
Wireshark-dev mailing listWireshark-dev@wireshark.orghttp://www.wireshark.org/mailman/listinfo/wireshark-dev
-- Thanks and Regards,Neha ChahalCell- 443 207 0414
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Questions about dev
On Wed, Nov 08, 2006 at 09:52:26AM +0100, Jaap Keuter wrote: > I'm all for that. I personally don't like extending Wireshark into the > realm of trace file analyser. Actually adding new file formats is quite ok, as long as there is some "real use" for it for more than just a handful of users. Also, of course, some sample traces and protocols captured must be available. ciao Joerg ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Questions about dev
Hi,
I'm all for that. I personally don't like extending Wireshark into the
realm of trace file analyser.
Thanx,
Jaap
On Wed, 8 Nov 2006, Kukosa, Tomas wrote:
> Hello,
>
> I use a little bit differen solution for a similar problem.
> Sometimes I need to dissect proprietray protocols from tracesfiles not
> supported by Wireshark.
> I use following way:
> 1) convert trace file to pcap format with linktype DLT_USERx (x=0-15)
>simple conversion tool can be written in Perl, Python or whatever you
> like
> 2) register my dissector to WTAP_ENCAP_USERx;
>dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);
>
> The advantage is that it does not need any changes (and recompilation)
> in Wireshark.
>
> regards,
> Tomas
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Neha Chahal
> Sent: Tuesday, November 07, 2006 9:13 PM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] Questions about dev
>
> On 11/7/06, Guy Harris <[EMAIL PROTECTED]> wrote:
> > Neha Chahal wrote:
> >
> > > The format of the file is binary
> >
> > "Binary" isn't a format for a packet capture; there are several
> capture
> > file formats, all of which are binary, but they're not all the same.
> > What *specific* binary format is it?
> >
> > Is this some standard format (libpcap format as used by
> > tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
> > format, Microsoft Network Monitor format, Sun snoop format, etc.), or
> is
> > it some format you or somebody else has created?
>
> Yes it is "not" one of these formats. The packets are in LEA binary
> format.
> >
> > > and the protocol is LEA.
> >
> > What protocol is that?
>
> Law Enforcement Agency protocol for call tracing(lawful intercept
> protocol)
>
> >
> > > It is a protocol at the application layer. So it is the top most
> protocol.
> >
> > What protocol does it run atop? TCP? UDP? Some other protocol?
> >
>
> On top of UDP for my application.
>
> > > So I have to implement both. Is that true?
> >
> > Yes, you have to implement both read and seek_read functions.
> >
> > > So my read routine is returning the packet in wth->frame_buffer. But
> I
> > > have not implementes the seek_read. The README.dev says "implement
> > > seek_read if necessary". What does this mean?
> >
> > It means that the documentation hasn't been updated to indicate that
> > there's no longer a "default" seek_read routine that a file format
> > module can use, so modules always have to have their own seek_read
> > routine. (I've just checked in a change to wiretap/README.developer
> to
> > fix that.)
> >
> > > When is it necessary?
> >
> > Always.
> >
> > > My packets dont have any transport layer headers. They are in the
> > > format I have specified in the dissector. So this is the way my
> packet
> > > looks like.
> > >
> > > fixed header
> > > payload header
> > > variable length payload
> >
> > So are you saying that the *ONLY* protocol in the packet is this "LEA"
> > protocol?
>
> Yes, only LEA.
>
> >
> > > In the dissector I have given protocol details starting from the
> fixed
> > > header. So the packet that I return in the wth->frame_buffer should
> > > start from the fixed header to the end of the payload. Is this
> > > correct?
> >
> > Yes.
> >
> > > Where should the data offset point. At the payload header or at the
> > > fixed header ?
> >
> > At the fixed header - it's the offset to which the seek_read routine
> > would need to seek to get the entire packet.
>
> okay.
>
> So once I am done doing these changes. How do I test my changes?
> Should I do a make install. And then run tethereal on my binary file.
> Currently I am working on the ethereal tar, I downloaded.
>
> Thank you very much, forgive me if I sound stupid. But I am very new
> to ethereal/wireshark.
>
> --Neha
> > ___
> > Wireshark-dev mailing list
> > Wireshark-dev@wireshark.org
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
>
> --
> Thanks and Regards,
> Neha Chahal
> Cell- 443 207 0414
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Questions about dev
Hello,
I use a little bit differen solution for a similar problem.
Sometimes I need to dissect proprietray protocols from tracesfiles not
supported by Wireshark.
I use following way:
1) convert trace file to pcap format with linktype DLT_USERx (x=0-15)
simple conversion tool can be written in Perl, Python or whatever you
like
2) register my dissector to WTAP_ENCAP_USERx;
dissector_add("wtap_encap", WTAP_ENCAP_USERx, my_proto_handle);
The advantage is that it does not need any changes (and recompilation)
in Wireshark.
regards,
Tomas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Neha Chahal
Sent: Tuesday, November 07, 2006 9:13 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Questions about dev
On 11/7/06, Guy Harris <[EMAIL PROTECTED]> wrote:
> Neha Chahal wrote:
>
> > The format of the file is binary
>
> "Binary" isn't a format for a packet capture; there are several
capture
> file formats, all of which are binary, but they're not all the same.
> What *specific* binary format is it?
>
> Is this some standard format (libpcap format as used by
> tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer
> format, Microsoft Network Monitor format, Sun snoop format, etc.), or
is
> it some format you or somebody else has created?
Yes it is "not" one of these formats. The packets are in LEA binary
format.
>
> > and the protocol is LEA.
>
> What protocol is that?
Law Enforcement Agency protocol for call tracing(lawful intercept
protocol)
>
> > It is a protocol at the application layer. So it is the top most
protocol.
>
> What protocol does it run atop? TCP? UDP? Some other protocol?
>
On top of UDP for my application.
> > So I have to implement both. Is that true?
>
> Yes, you have to implement both read and seek_read functions.
>
> > So my read routine is returning the packet in wth->frame_buffer. But
I
> > have not implementes the seek_read. The README.dev says "implement
> > seek_read if necessary". What does this mean?
>
> It means that the documentation hasn't been updated to indicate that
> there's no longer a "default" seek_read routine that a file format
> module can use, so modules always have to have their own seek_read
> routine. (I've just checked in a change to wiretap/README.developer
to
> fix that.)
>
> > When is it necessary?
>
> Always.
>
> > My packets dont have any transport layer headers. They are in the
> > format I have specified in the dissector. So this is the way my
packet
> > looks like.
> >
> > fixed header
> > payload header
> > variable length payload
>
> So are you saying that the *ONLY* protocol in the packet is this "LEA"
> protocol?
Yes, only LEA.
>
> > In the dissector I have given protocol details starting from the
fixed
> > header. So the packet that I return in the wth->frame_buffer should
> > start from the fixed header to the end of the payload. Is this
> > correct?
>
> Yes.
>
> > Where should the data offset point. At the payload header or at the
> > fixed header ?
>
> At the fixed header - it's the offset to which the seek_read routine
> would need to seek to get the entire packet.
okay.
So once I am done doing these changes. How do I test my changes?
Should I do a make install. And then run tethereal on my binary file.
Currently I am working on the ethereal tar, I downloaded.
Thank you very much, forgive me if I sound stupid. But I am very new
to ethereal/wireshark.
--Neha
> ___
> Wireshark-dev mailing list
> Wireshark-dev@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
--
Thanks and Regards,
Neha Chahal
Cell- 443 207 0414
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Questions about dev
On 11/7/06, Guy Harris <[EMAIL PROTECTED]> wrote: > Neha Chahal wrote: > > > The format of the file is binary > > "Binary" isn't a format for a packet capture; there are several capture > file formats, all of which are binary, but they're not all the same. > What *specific* binary format is it? > > Is this some standard format (libpcap format as used by > tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer > format, Microsoft Network Monitor format, Sun snoop format, etc.), or is > it some format you or somebody else has created? Yes it is "not" one of these formats. The packets are in LEA binary format. > > > and the protocol is LEA. > > What protocol is that? Law Enforcement Agency protocol for call tracing(lawful intercept protocol) > > > It is a protocol at the application layer. So it is the top most protocol. > > What protocol does it run atop? TCP? UDP? Some other protocol? > On top of UDP for my application. > > So I have to implement both. Is that true? > > Yes, you have to implement both read and seek_read functions. > > > So my read routine is returning the packet in wth->frame_buffer. But I > > have not implementes the seek_read. The README.dev says "implement > > seek_read if necessary". What does this mean? > > It means that the documentation hasn't been updated to indicate that > there's no longer a "default" seek_read routine that a file format > module can use, so modules always have to have their own seek_read > routine. (I've just checked in a change to wiretap/README.developer to > fix that.) > > > When is it necessary? > > Always. > > > My packets dont have any transport layer headers. They are in the > > format I have specified in the dissector. So this is the way my packet > > looks like. > > > > fixed header > > payload header > > variable length payload > > So are you saying that the *ONLY* protocol in the packet is this "LEA" > protocol? Yes, only LEA. > > > In the dissector I have given protocol details starting from the fixed > > header. So the packet that I return in the wth->frame_buffer should > > start from the fixed header to the end of the payload. Is this > > correct? > > Yes. > > > Where should the data offset point. At the payload header or at the > > fixed header ? > > At the fixed header - it's the offset to which the seek_read routine > would need to seek to get the entire packet. okay. So once I am done doing these changes. How do I test my changes? Should I do a make install. And then run tethereal on my binary file. Currently I am working on the ethereal tar, I downloaded. Thank you very much, forgive me if I sound stupid. But I am very new to ethereal/wireshark. --Neha > ___ > Wireshark-dev mailing list > Wireshark-dev@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-dev > -- Thanks and Regards, Neha Chahal Cell- 443 207 0414 ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Questions about dev
Neha Chahal wrote: > The format of the file is binary "Binary" isn't a format for a packet capture; there are several capture file formats, all of which are binary, but they're not all the same. What *specific* binary format is it? Is this some standard format (libpcap format as used by tcpdump/WinDump/Wireshark/etc., DOS Sniffer format, Windows Sniffer format, Microsoft Network Monitor format, Sun snoop format, etc.), or is it some format you or somebody else has created? > and the protocol is LEA. What protocol is that? > It is a protocol at the application layer. So it is the top most protocol. What protocol does it run atop? TCP? UDP? Some other protocol? > So I have to implement both. Is that true? Yes, you have to implement both read and seek_read functions. > So my read routine is returning the packet in wth->frame_buffer. But I > have not implementes the seek_read. The README.dev says "implement > seek_read if necessary". What does this mean? It means that the documentation hasn't been updated to indicate that there's no longer a "default" seek_read routine that a file format module can use, so modules always have to have their own seek_read routine. (I've just checked in a change to wiretap/README.developer to fix that.) > When is it necessary? Always. > My packets dont have any transport layer headers. They are in the > format I have specified in the dissector. So this is the way my packet > looks like. > > fixed header > payload header > variable length payload So are you saying that the *ONLY* protocol in the packet is this "LEA" protocol? > In the dissector I have given protocol details starting from the fixed > header. So the packet that I return in the wth->frame_buffer should > start from the fixed header to the end of the payload. Is this > correct? Yes. > Where should the data offset point. At the payload header or at the > fixed header ? At the fixed header - it's the offset to which the seek_read routine would need to seek to get the entire packet. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] Questions about dev
On 11/7/06, Guy Harris <[EMAIL PROTECTED]> wrote:
> Neha Chahal wrote:
>
> > I am very new to the ethereal source code. I want to add a dissector
> > that understands my protocol –" my_proto".
> >
> > Problem statement:
> >
> > I have a binary file my_proto_dump.log. This file has packets received
> > by my application.
>
> What format is that file in?
The format of the file is binary and the protocol is LEA.
>
> > I want ethereal to read from a binary file packets in my_proto
> > protocol and then be able to dissect these packets and produce an
> > output file.
> >
> > I am having a hard time understanding how to join the pieces together.
> >
> > I have a few questions about this.
> >
> > 1.To make ethereal dissect my protocol I have to add a dissector,
> > right ? I would have to add under plugins/my_proto.c – which is my
> > dissector. This step has been explained nicely in the manual. I did
> > this.
> > 2.How do I make ethereal call my dissector?
>
> Is your protocol the bottommost protocol (for example, in an Ethernet
> capture, the bottommost protocol is Ethernet), or is it a protocol that
> runs atop another protocol (for example, in that Ethernet capture, an IP
> packet would probably have IP running atop Ethernet)?
It is a protocol at the application layer. So it is the top most protocol.
>
> > 3.Do I have to make changes to add my capture file type in the wiretap/
> > dir.
>
> Only if your binary file is in a format that Wireshark doesn't already
> support. If, for example, it's a capture file in the format that
> tcpdump/WinDump supports, that's also the standard format that Wireshark
> uses, and so you already have code to support it.
>
No it is not a format wireshark supports. I tried tethereal on my
binary file and it prints a message -- format not supported. The
format is LEA format.
> > 4.What is the difference between read and seek_read functions.
>
> The read function is used in TShark, which only does a sequential read
> of the file, and in Wireshark when the file is first read in.
>
> The seek_read function is used after that in Wireshark, because packets
> aren't necessarily processed in sequential order once the capture has
> been read in.
>
So I have to implement both. Is that true?
> > Do I
> > have to return the packet in the wth->format_buffer?
>
> Presumably you meant "wth->frame_buffer".
>
> If so, then the read routine returns the packet there, and the seek_read
> routine returns the packet in the buffer pointed to by the "pd" argument.
So my read routine is returning the packet in wth->frame_buffer. But I
have not implementes the seek_read. The README.dev says "implement
seek_read if necessary". What does this mean? When is it necessary?
>
> > Is this packet
> > used by the dissector to dissect?
>
> Those packet contents are what the dissectors in TShark and Wireshark
> dissect.
>
> > If yes this packet should have all
> > the bits I mention in the dissector code ?
>
> It should have all the bits that were captured from the network. :-)
>
> ("Bits" here meaning "binary digits" - i.e., it's just the raw contents
> of the packet.)
My packets dont have any transport layer headers. They are in the
format I have specified in the dissector. So this is the way my packet
looks like.
fixed header
payload header
variable length payload
In the dissector I have given protocol details starting from the fixed
header. So the packet that I return in the wth->frame_buffer should
start from the fixed header to the end of the payload. Is this
correct?
Where should the data offset point. At the payload header or at the
fixed header ?
>
> > 5.After this wht is the ethereal output format. Do I have to specify
> > the output format also.
>
> What do you mean by "output format"?
>
> The output of a dissector is some protocol tree entries added to the
> tree, and information used to generate the columns in the summary
> display. Code outside the dissector - code that you will not have to
> write or modify, unless your protocol somehow requires some additional
> features, which it almost certainly doesn't - turns that into
> information in windows on the display, or text in a text file, or XML in
> a PSML or PDML file, or Those output formats are not anything you
> have to deal with.
Yes, thank you, understood now.
>
> If your capture file is in a format that Wireshark doesn't currently
> support writing, and you want to allow it to read in a file in some
> other format and write it out in your format, you'd have to add code to
> Wiretap to write that format.
Okay. So i just want it read the binary stream from a file. This file
is created by my application that just dumps incoming LEA format
messages in binary format. So I think I need to add a module in the
wiretap too.
Thank you so much. This has helped me a lot. Excuse me if my questions
are naive, but I really need the answers. Hope I have answered your
questions in detail and you understand my answer
Re: [Wireshark-dev] Questions about dev
Neha Chahal wrote:
> I am very new to the ethereal source code. I want to add a dissector
> that understands my protocol –" my_proto".
>
> Problem statement:
>
> I have a binary file my_proto_dump.log. This file has packets received
> by my application.
What format is that file in?
> I want ethereal to read from a binary file packets in my_proto
> protocol and then be able to dissect these packets and produce an
> output file.
>
> I am having a hard time understanding how to join the pieces together.
>
> I have a few questions about this.
>
> 1.To make ethereal dissect my protocol I have to add a dissector,
> right ? I would have to add under plugins/my_proto.c – which is my
> dissector. This step has been explained nicely in the manual. I did
> this.
> 2.How do I make ethereal call my dissector?
Is your protocol the bottommost protocol (for example, in an Ethernet
capture, the bottommost protocol is Ethernet), or is it a protocol that
runs atop another protocol (for example, in that Ethernet capture, an IP
packet would probably have IP running atop Ethernet)?
> 3.Do I have to make changes to add my capture file type in the wiretap/
> dir.
Only if your binary file is in a format that Wireshark doesn't already
support. If, for example, it's a capture file in the format that
tcpdump/WinDump supports, that's also the standard format that Wireshark
uses, and so you already have code to support it.
> 4.What is the difference between read and seek_read functions.
The read function is used in TShark, which only does a sequential read
of the file, and in Wireshark when the file is first read in.
The seek_read function is used after that in Wireshark, because packets
aren't necessarily processed in sequential order once the capture has
been read in.
> Do I
> have to return the packet in the wth->format_buffer?
Presumably you meant "wth->frame_buffer".
If so, then the read routine returns the packet there, and the seek_read
routine returns the packet in the buffer pointed to by the "pd" argument.
> Is this packet
> used by the dissector to dissect?
Those packet contents are what the dissectors in TShark and Wireshark
dissect.
> If yes this packet should have all
> the bits I mention in the dissector code ?
It should have all the bits that were captured from the network. :-)
("Bits" here meaning "binary digits" - i.e., it's just the raw contents
of the packet.)
> 5.After this wht is the ethereal output format. Do I have to specify
> the output format also.
What do you mean by "output format"?
The output of a dissector is some protocol tree entries added to the
tree, and information used to generate the columns in the summary
display. Code outside the dissector - code that you will not have to
write or modify, unless your protocol somehow requires some additional
features, which it almost certainly doesn't - turns that into
information in windows on the display, or text in a text file, or XML in
a PSML or PDML file, or Those output formats are not anything you
have to deal with.
If your capture file is in a format that Wireshark doesn't currently
support writing, and you want to allow it to read in a file in some
other format and write it out in your format, you'd have to add code to
Wiretap to write that format.
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
