Re: [tcpdump-workers] Request for new DLT

Mon, 24 Jun 2013 07:46:33 -0700 


-----Original Message-----
From: Anders Broman 
Sent: den 19 juni 2013 19:23
To: 'm...@sandelman.ca'
Cc: tcpdump-workers@lists.tcpdump.org
Subject: RE: [tcpdump-workers] Request for new DLT



-----Original Message-----
From: m...@sandelman.ca [mailto:m...@sandelman.ca] 
Sent: den 19 juni 2013 14:50
To: Anders Broman
Cc: tcpdump-workers@lists.tcpdump.org
Subject: Re: [tcpdump-workers] Request for new DLT


Anders Broman <anders.bro...@ericsson.com> wrote:
    Anders> Hi, Any chance of getting forward on this? I'm not sure what I
    Anders> should change/make clearer to get this request accepted. We now
    Anders> have another use case in Wireshark: - Exporting decrypted packets
    Anders> from SSL sessions by "cutting" them off after the SSL layer and
    Anders> saving the file with the new DLT value the TLV:s and then the
    Anders> PDU:s Following after the SSL layer.  Regards Anders Broman

After the pcap if created, how will another tool know what's in these payloads?

That's our fundamental question.  Can anyone other than the original person who 
saved these files have a clue what dissector to apply?
Forgive me if I'm just not seeing where this information is going to be.

If not, then one of the PCAP private values makes sense.
Currently there is two tags defined to indicate which protocol the packet block 
starts with:
#define EXP_PDU_TAG_LINKTYPE          11 /**< The value part is the linktype 
value defined by tcpdump 
                                          * 
http://www.tcpdump.org/linktypes.html
                                          */ 
#define EXP_PDU_TAG_PROTO_NAME        12 /**< The value part should be an ASCII 
non NULL terminated string 
                                          * of the short protocol name used by 
Wireshark e.g "sip"
                                          * Will be used to call the next 
dissector.
                                          */
The Wireshak implementation currently only uses EXP_PDU_TAG_PROTO_NAME .
Is this good enough?
Regards
Anders Broman


Ping?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     m...@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Reply via email to