On Dec 29, 2013, at 11:21 PM, Michal Labedzki <michal.labed...@tieto.com> wrote:
> Implementation in libpcap is very similar to pcap-bt-linux.c, but: > 1. There is only one interface, let call it bluetooth-monitor I.e., it's like the "any" device". > 2. Pseudo header is: > guint16 adapter_id; So that presumably indicates on which physical adapter the packet was sent or received. > guint16 opcode; I infer from +static const value_string opcode_vals[] = { + { 0x00, "New Index" }, + { 0x01, "Delete Index" }, + { 0x02, "HCI Command Packet" }, + { 0x03, "HCI Event Packet" }, + { 0x04, "ACL Tx Packet" }, + { 0x05, "ACL Rx Packet" }, + { 0x06, "SCO Tx Packet" }, + { 0x07, "SCO Rx Packet" }, + { 0x00, NULL } in the Wireshark patch that those are the possible opcode values. The HCI spec describes the packet types as HCI Command Packet HCI ACL Data Packet HCI Synchronous Data Packet HCI Event Packet so presumably "ACL Tx Packet" and "ACL Rx Packet" are HCI ACL Data Packets transmitted and received by the host, respectively, and "SCO Tx Packet" and "SCO Rx Packet" are HCI Synchronous Data Packets transmitted and received by the host, respectively. (Presumably HCI Command Packets are always transmitted by the host and HCI Event Packets are always received by the host.) Is what *follows* the pseudo-header just a regular HCI packet, except for "New Index" and "Delete Index"? Does "New Index" mean "here's a new interface", with adapter_id being the adapter ID of the new interface, and with the payload being, as inferred from + case 0x00: /* New Index */ + proto_tree_add_item(hci_mon_tree, hf_bus, tvb, offset, 1, ENC_NA); + offset += 1; + + proto_tree_add_item(hci_mon_tree, hf_type, tvb, offset, 1, ENC_NA); + offset += 1; + + offset = dissect_bd_addr(hf_bd_addr, hci_mon_tree, tvb, offset); + + proto_tree_add_item(hci_mon_tree, hf_name, tvb, offset, 8, ENC_NA | ENC_ASCII); + offset += 8; + + break; having a 1-byte interface bus value from the set implied by +static const value_string bus_vals[] = { + { 0x00, "BR/EDR" }, + { 0x01, "AMP" }, + { 0x00, NULL } +}; followed by a 1-byte interface type value from the set implied by +static const value_string type_vals[] = { + { 0x00, "Virtual" }, + { 0x01, "USB" }, + { 0x02, "PC Card" }, + { 0x03, "UART" }, + { 0x04, "RS232" }, + { 0x05, "PCI" }, + { 0x06, "SDIO" }, + { 0x00, NULL } +}; followed by a byte-reversed MAC address for the interface as implied by + offset = dissect_bd_addr(hf_bd_addr, hci_mon_tree, tvb, offset); and the code of dissect_bd_addr(), followed by an 8-byte ASCII string for the interface name, and does "Delete Index" mean "this interface disappeared", with adapter_id being the adapter ID of the interface, and with no payload, as implied by + case 0x01: /* Delete Index */ + /* No parameters */ + + break; _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers