Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Application-layer capture files

From: Hadriel Kaplan <HKaplan () acmepacket com>
Date: Wed, 22 Sep 2010 18:00:07 -0400
Howdy,
For a few years my company's provided a free offline-tool to convert from an internal SIP message capture format of SIP 
messages received by our system parsers, to pcap format.  This tool does the classic trick of creating fake 
Ethernet+IP+UDP headers and formatting the thing as a pcap.  It made sense to do this, because it lets us capture the 
real IP:port info in the fake IP/UDP headers, so that wireshark displays them and the user can sort/filter based on ip 
and do conversation analysis, etc.  We don't want to do real raw packet captures as they're received off-the-wire, 
because SIP could run over TLS or IPsec and would only show encrypted data.

This all worked fine when everything was SIP over UDP over IPv4.  But SIP over TCP exists as well, and even over IPv6.  
Over TCP in particular, when "capturing" at the application layer you don't have access to sequence numbers and such, 
and recording them as UDP packets is really misleading (and screws up).  Furthermore, we'd like to change our systems 
to be able to create a file format and encap type wireshark will (someday) understand natively.

I could write a patch for wireshark to handle a new WTAP_ENCAP_RAW_SIP_SOCKET or some such, with a small header that 
records the ip:port:transport info we do have at the app layer, and dissector that handles that before calling SIP's 
dissector.  But it occurs to me we can't be the first ones with this problem - things like HTTP and other application 
layer parsers/apps must want the ability to "capture" into a file like pcap at their layer too, so is there some 
existing solution (encap format, file format, dissector, whatever) that I'm overlooking?  I've tried to check the 
source code of every one that looks like it might do it, but I can't find one.

-hadriel

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: