Re: Request for DLT for new BlueZ Monitor

[Guy Harris <guy () alum mit edu>]

On Dec 29, 2013, at 11:21 PM, Michal Labedzki <michal.labedzki () tieto com> wrote:

> Implementation in libpcap is very similar to pcap-bt-linux.c, but:
> 1. There is only one interface, let call it bluetooth-monitor

I.e., it's like the "any" device".

> 2. Pseudo header is:
>    guint16   adapter_id;

So that presumably indicates on which physical adapter the packet was sent or received.

>    guint16   opcode;

I infer from

+static const value_string opcode_vals[] = {
+    { 0x00,  "New Index" },
+    { 0x01,  "Delete Index" },
+    { 0x02,  "HCI Command Packet" },
+    { 0x03,  "HCI Event Packet" },
+    { 0x04,  "ACL Tx Packet" },
+    { 0x05,  "ACL Rx Packet" },
+    { 0x06,  "SCO Tx Packet" },
+    { 0x07,  "SCO Rx Packet" },
+    { 0x00, NULL }

in the Wireshark patch that those are the possible opcode values.  The HCI spec describes the packet types as

        HCI Command Packet
        HCI ACL Data Packet
        HCI Synchronous Data Packet 
        HCI Event Packet

so presumably "ACL Tx Packet" and "ACL Rx Packet" are HCI ACL Data Packets transmitted and received by the host, 
respectively, and "SCO Tx Packet" and "SCO Rx Packet" are HCI Synchronous Data Packets transmitted and received by the 
host, respectively.  (Presumably HCI Command Packets are always transmitted by the host and HCI Event Packets are 
always received by the host.)

Is what *follows* the pseudo-header just a regular HCI packet, except for "New Index" and "Delete Index"?

Does "New Index" mean "here's a new interface", with adapter_id being the adapter ID of the new interface, and with the 
payload being, as inferred from

+    case 0x00: /* New Index */
+        proto_tree_add_item(hci_mon_tree, hf_bus, tvb, offset, 1, ENC_NA);
+        offset += 1;
+
+        proto_tree_add_item(hci_mon_tree, hf_type, tvb, offset, 1, ENC_NA);
+        offset += 1;
+
+        offset = dissect_bd_addr(hf_bd_addr, hci_mon_tree, tvb, offset);
+
+        proto_tree_add_item(hci_mon_tree, hf_name, tvb, offset, 8, ENC_NA | ENC_ASCII);
+        offset += 8;
+
+        break;

having a 1-byte interface bus value from the set implied by

+static const value_string bus_vals[] = {
+    { 0x00,  "BR/EDR" },
+    { 0x01,  "AMP" },
+    { 0x00, NULL }
+};

followed by a 1-byte interface type value from the set implied by

+static const value_string type_vals[] = {
+    { 0x00,  "Virtual" },
+    { 0x01,  "USB" },
+    { 0x02,  "PC Card" },
+    { 0x03,  "UART" },
+    { 0x04,  "RS232" },
+    { 0x05,  "PCI" },
+    { 0x06,  "SDIO" },
+    { 0x00, NULL }
+};

followed by a byte-reversed MAC address for the interface as implied by

+        offset = dissect_bd_addr(hf_bd_addr, hci_mon_tree, tvb, offset);

and the code of dissect_bd_addr(), followed by an 8-byte ASCII string for the interface name, and does "Delete Index" 
mean "this interface disappeared", with adapter_id being the adapter ID of the interface, and with no payload, as 
implied by

+    case 0x01: /* Delete Index */
+        /* No parameters */
+
+        break;
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers