Hi, Did not find it online, but some basics:
Put the following lines into a file
0000 00 0c 00 0c 67 73 6d 5f 61 5f 64 74 61 70 00 00 ..... gsm_a_dtap 67 73
6d 5f 61 5f 64 74 61 70
0010 00 1e 00 04 00 00 00 01 00 00 00 00 08 15 03
And run
text2pcap.exe -l 252 Manufacture_frames_exp_pdu.txt
Manufactured_frames_exp_pdu.pcapng
0000 00 0c 00 0c 6e 61 73 2d 35 67 73 00 00 00 00 00 ....nas-5gs.....
0010 00 1e 00 04 00 00 00 01 00 00 00 00 7e 00 3e 57 ..............>A
Message type last octet 0x57 Authentication response
0020 78 00 57 0a 01 25 46 00 00 55 71 53 01 d6 10 04 ó....%F..UqS.Ö..
0030 8e 42 20 10 00 04 20 63 db 24 2f 04 4d aa 62 67 .B n.. cÛ$/.Mªbg
0040 52 22 04 78 78 00 33 78 00 30 00 5e 7b 78 40 04 R"."..0.nf.^{x@.
0050 75 9f 77 77 50 04 5a fa f6 6d b0 2b 03 3d ff ff u.wwP.Zúöm°+.=ÿÿ
0060 2c 04 00 00 00 00 2d 06 00 00 00 00 00 00 c0 7c ,.....-.......À|
0070 00 08 07 00 c0 7c 00 02 00 00 ....À|....
text2pcap.exe -l 252 Manufacture_frames_exp_pdu.txt
Manufactured_frames_exp_pdu.pcapng
From: Wireshark-dev <[email protected]> On Behalf Of Juanjo
Martin Carrascosa
Sent: den 15 januari 2020 14:54
To: Developer support list for Wireshark <[email protected]>
Subject: Re: [Wireshark-dev] Bypassing the first layer
This helps me too. There are some slides about export pdu.
But yes, any material is welcome. Thanks for the help team. This is fantastic.
On Wed, Jan 15, 2020 at 2:47 PM Dario Lombardo <[email protected]
<mailto:[email protected]> > wrote:
I don't think this is what Anders was talking about. This is about extcap,
while I was referring to export_pdu.
If you or Anders can reference the right one, that would be great.
If you want to have a look at something using export_pdu creating a pcap file,
have a loot at the udpdump.c code.
On Wed, Jan 15, 2020 at 2:37 PM Juanjo Martin Carrascosa <[email protected]
<mailto:[email protected]> > wrote:
https://sharkfestus.wireshark.org/assets/presentations18/17.pptx
On Wed, Jan 15, 2020 at 2:36 PM Dario Lombardo <[email protected]
<mailto:[email protected]> > wrote:
Can you share the link, for future reference?
On Wed, Jan 15, 2020 at 2:15 PM Juanjo Martin Carrascosa <[email protected]
<mailto:[email protected]> > wrote:
Found the presentation, this is fantastic.
Thanks!
On Wed, Jan 15, 2020 at 12:58 PM Anders Broman via Wireshark-dev
<[email protected] <mailto:[email protected]> > wrote:
Hi,
In the frame layer there is the “Encapsulation type” the way the pcap format
works this indicates how the data following should be interpreted.
Linktype/encapsulation type is defined at
<https://protect2.fireeye.com/v1/url?k=c347add8-9fcd786c-c347ed43-866a015dd3d5-d7661157f49a37ff&q=1&e=d82b7876-3625-4158-b8b6-c262c0dc56f8&u=https%3A%2F%2Fwww.tcpdump.org%2Flinktypes.html>
https://www.tcpdump.org/linktypes.html so one thing you could do is to design
your own DLT
Add whatever meta data you want and then add the RTPS data at some position in
that structure. You can try this out by using the USER DLTs in Wireshark
Or if you do not want to request a DLT from tcpdump ( DO NOT USE ONE WITHOUT
ALLOCATING IT) you could use the Exported PDU DLT defined by Wireshark
Epan/exported_pdu.h contains some information. If you would require new
elements for meta information that could be discussed. Adding RTSP data in
An exported_pdu DLT frame should be simple as an initial test. I think there is
a sharkfest presentation on how to add any protocol data in an exported pdu
frame with text2pcap.
Regards
Anders
From: Wireshark-dev <[email protected]
<mailto:[email protected]> > On Behalf Of Juanjo Martin
Carrascosa
Sent: den 15 januari 2020 12:24
To: Developer support list for Wireshark <[email protected]
<mailto:[email protected]> >
Subject: Re: [Wireshark-dev] Bypassing the first layer
Hi Dario,
Could you elaborate on this? I get the idea but my knowledge about the how is
very basic.
How can this help me achieve what I need?
Thanks for the help.
Juanjo Martin
On Tue, Jan 14, 2020 at 4:48 PM Dario Lombardo <[email protected]
<mailto:[email protected]> > wrote:
You can use export_pdu. This is a layer with multiple attributes (see
epan/exported_pdu.h), but the only really needed is the proto_name, that allows
you to directly call a dissector by its name.
You will have frames with this stack: FRAME/EXPORT PDU/RTPS, that is properly
dissected by wireshark.
On Tue, Jan 14, 2020 at 4:33 PM Juanjo Martin Carrascosa <[email protected]
<mailto:[email protected]> > wrote:
Hi everyone,
RTPS is a protocol already supported by Wireshark. I have been helping maintain
that protocol these past years. It sits on top of TCP and UDP, as well as some
other transports that are not network ones (Shared Memory typically with a
proprietary implementation).
We are currently working on implementing a new logging mechanism for our
product, mainly to address the Shared Memory scenario but it can also be really
useful when RTPS is used on top of network protocols.
Problem: We can log the RTPS layer but we don't have some information in our
middleware like the Frame or Ethernet information, so we need to make it up.
This is ugly, so I am trying to avoid that:
How can I register a protocol so it is picked up instead of the Frame layer?
This is, I want to create a new protocol that detects that the information we
generate is for that protocol and the Frame protocol is not called, but the new
protocol I am creating. This new protocol will then call the RTPS protocol to
dissect the payload I want to display. We are planning to also add some
information to this custom protocol, that's why I want it to be called first.
Note: I just came up with this solution, but if you have a different solution
for this, please let me know.
Thanks,
Juanjo Martin
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Naima is online.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Juanjo Martin
Principal Application Engineer
EMEA Services Lead @ Professional Services Group
Office: +34 958 27 88 62
[email protected] <mailto:[email protected]>
www.rti.com
<https://protect2.fireeye.com/v1/url?k=ef5c0e3a-b3d6db2c-ef5c4ea1-862f14a9365e-a65581b6c9ebf84e&q=1&e=75a63928-4ca4-405f-a42a-975bcffca831&u=http%3A%2F%2Fwww.rti.com%2F>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Juanjo Martin
Principal Application Engineer
EMEA Services Lead @ Professional Services Group
Office: +34 958 27 88 62
[email protected] <mailto:[email protected]>
www.rti.com
<https://protect2.fireeye.com/v1/url?k=4d168803-119c5db7-4d16c898-866a015dd3d5-97a8752aa575d28c&q=1&e=d82b7876-3625-4158-b8b6-c262c0dc56f8&u=http%3A%2F%2Fwww.rti.com%2F>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Naima is online.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Juanjo Martin
Principal Application Engineer
EMEA Services Lead @ Professional Services Group
Office: +34 958 27 88 62
[email protected] <mailto:[email protected]>
www.rti.com
<https://protect2.fireeye.com/v1/url?k=a0d8df28-fc520a9c-a0d89fb3-866a015dd3d5-195e05b6c33cc297&q=1&e=d82b7876-3625-4158-b8b6-c262c0dc56f8&u=http%3A%2F%2Fwww.rti.com%2F>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Naima is online.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]
<mailto:[email protected]> >
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]
<mailto:[email protected]> ?subject=unsubscribe
--
Juanjo Martin
Principal Application Engineer
EMEA Services Lead @ Professional Services Group
Office: +34 958 27 88 62
[email protected] <mailto:[email protected]>
www.rti.com
<https://protect2.fireeye.com/v1/url?k=2e8275d0-7208a064-2e82354b-866a015dd3d5-942b3ee3272eabba&q=1&e=d82b7876-3625-4158-b8b6-c262c0dc56f8&u=http%3A%2F%2Fwww.rti.com%2F>
smime.p7s
Description: S/MIME cryptographic signature
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
