tcpdump mailing list archives
Re: Request for new DLT and LINKTYPE value
From: "Edgar, Thomas" <thomas.edgar () pnl gov>
Date: Thu, 15 Apr 2010 09:59:16 -0700
On Apr 13, 2010, at 3:30 PM, Guy Harris wrote:
I think heuristics are what you use when you can't use anything else; if they're too strong, they will fail to identify things that they should (and people will complain about it), and if they're too weak, they will identify things that they shouldn't (and people will complain about it). We have had to tweak the heuristics in Wireshark dissectors and Wireshark file-type identifiers, sometimes more than once, and it's a pain.
If you can come up with sufficiently strong heuristics for the protocols in question, such that you can always, or almost always, correctly identify the protocol - and somebody isn't going to have to repeatedly tweak the heuristics, or even add a UI option to override it (at which point we have something not very different from an option you set when you do the capture) - then that might suffice.
After looking at how the pcap_set_datalink process works I think I have decided to keep my timing method as the default COM interface datalink type. But I will create it with the capability of setting the datalink type so that you can force the proper framing if you know what protocol is present. I will create framing for the three protocols I am targeting and lay it out so others can be added. With this approach you can up front choose the framing, as you have suggested, and guarantee proper frames or you can allow Wireshark to try to figure out what protocol is present via the heuristic dissectors if you do not know the protocol beforehand. Does this fit your architecture? I need to address my use case of capturing unknown protocols but I also don't want to create something the community will not absorb. My goal is not to create a fork. If this approach is acceptable I will need DLT_/LINKTYPE_ values for: Default serial time based framing (DLT_SERIAL and LINKTYPE_SERIAL) DNP3 Serial framing (DLT_DNP3 and LINKTYPE_DNP3) Modbus RTU Framing (DLT_MODBUS and LINKTYPE_MODBUS) SSCP Framing (In the process of making this protocol an IEEE standard which is the impetus for this work) (DLT_SSCP and LINKTYPE_SSCP) - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Request for new DLT and LINKTYPE value Edgar, Thomas (Apr 12)
- Re: Request for new DLT and LINKTYPE value Guy Harris (Apr 12)
- Re: Request for new DLT and LINKTYPE value Edgar, Thomas (Apr 13)
- Re: Request for new DLT and LINKTYPE value Fulko Hew (Apr 13)
- Re: Request for new DLT and LINKTYPE value Guy Harris (Apr 13)
- Re: Request for new DLT and LINKTYPE value Edgar, Thomas (Apr 13)
- Re: Request for new DLT and LINKTYPE value Guy Harris (Apr 13)
- Re: Request for new DLT and LINKTYPE value Edgar, Thomas (Apr 15)
- Re: Request for new DLT and LINKTYPE value Guy Harris (Apr 15)
- Re: Request for new DLT and LINKTYPE value Edgar, Thomas (Apr 16)
- Re: Request for new DLT and LINKTYPE value Edgar, Thomas (Apr 13)
- Re: Request for new DLT and LINKTYPE value Guy Harris (Apr 12)
- Re: Request for new DLT and LINKTYPE value Michael Richardson (Apr 15)