On Apr 15, 2010, at 9:59 AM, Edgar, Thomas wrote: > After looking at how the pcap_set_datalink process works I think I have > decided to keep my timing method as the default COM interface datalink type. > But I will create it with the capability of setting the datalink type so that > you can force the proper framing if you know what protocol is present. I > will create framing for the three protocols I am targeting and lay it out so > others can be added. With this approach you can up front choose the framing, > as you have suggested, and guarantee proper frames or you can allow Wireshark > to try to figure out what protocol is present via the heuristic dissectors if > you do not know the protocol beforehand. > > Does this fit your architecture?
That sounds reasonable. So since this is just tapping a raw serial line, rather than tapping through an OS protocol implementation that might prepend metadata, delete fields, reshape fields, etc., presumably the difference between what the protocol specification lists and what will be in the packet is probably small. So, for all of the following: > DNP3 Serial framing (DLT_DNP3 and LINKTYPE_DNP3) > Modbus RTU Framing (DLT_MODBUS and LINKTYPE_MODBUS) > SSCP Framing (In the process of making this protocol an IEEE standard which > is the impetus for this work) (DLT_SSCP and LINKTYPE_SSCP) presumably there's a protocol specification somewhere. Could you indicate how that specification can be obtained (even if it costs money), and whether each packet will include all of the raw octets read from the serial line in the frame, or whether any transformation would be done (for example, with HDLC framing, escaping is necessary for octets with the same value as the frame delimiter or, as I remember, the escape octet value, which could be left intact or could be removed)? (I'm assuming that no transformation of the octets would be done for DLT_SERIAL/LINKTYPE_SERIAL, as you don't know what the protocol is in that case.)- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
