tcpdump mailing list archives

Re: Request for new DLT

From: Anders Broman <anders.broman () ericsson com>
Date: Mon, 24 Jun 2013 14:45:48 +0000



-----Original Message-----
From: Anders Broman 
Sent: den 19 juni 2013 19:23
To: 'mcr () sandelman ca'
Cc: tcpdump-workers () lists tcpdump org
Subject: RE: [tcpdump-workers] Request for new DLT



-----Original Message-----
From: mcr () sandelman ca [mailto:mcr () sandelman ca] 
Sent: den 19 juni 2013 14:50
To: Anders Broman
Cc: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Request for new DLT


Anders Broman <anders.broman () ericsson com> wrote:
    Anders> Hi, Any chance of getting forward on this? I'm not sure what I
    Anders> should change/make clearer to get this request accepted. We now
    Anders> have another use case in Wireshark: - Exporting decrypted packets
    Anders> from SSL sessions by "cutting" them off after the SSL layer and
    Anders> saving the file with the new DLT value the TLV:s and then the
    Anders> PDU:s Following after the SSL layer.  Regards Anders Broman

After the pcap if created, how will another tool know what's in these payloads?

That's our fundamental question.  Can anyone other than the original person who saved these files have a clue what 
dissector to apply?
Forgive me if I'm just not seeing where this information is going to be.

If not, then one of the PCAP private values makes sense.
Currently there is two tags defined to indicate which protocol the packet block starts with:
#define EXP_PDU_TAG_LINKTYPE          11 /**< The value part is the linktype value defined by tcpdump 
                                          * http://www.tcpdump.org/linktypes.html
                                          */ 
#define EXP_PDU_TAG_PROTO_NAME        12 /**< The value part should be an ASCII non NULL terminated string 
                                          * of the short protocol name used by Wireshark e.g "sip"
                                          * Will be used to call the next dissector.
                                          */
The Wireshak implementation currently only uses EXP_PDU_TAG_PROTO_NAME .
Is this good enough?
Regards
Anders Broman


Ping?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Re: Request for new DLT, (continued)
- Re: Request for new DLT Michael Richardson (May 18)
  - Re: Request for new DLT Pascal Quantin (May 19)
    - Re: Request for new DLT Anders Broman (May 21)
    - Re: Request for new DLT Michael Richardson (May 23)
    - Re: Request for new DLT Pascal Quantin (May 23)
    - Re: Request for new DLT Anders Broman (May 24)
    - Re: Request for new DLT Anders Broman (Jun 18)
    - Message not available
    - Re: Request for new DLT Anders Broman (Jun 19)
    - Re: Request for new DLT Michael Richardson (Jun 27)
    - Re: Request for new DLT Anders Broman (Jun 27)
    - Message not available
    - Re: Request for new DLT Anders Broman (Jun 24)
- Request for new DLT Anders Broman (May 18)
- Re: Request for new DLT Anders Broman (May 18)