Re: independent dissection of plug-ins

[Guy Harris <guy () alum mit edu>]

On Aug 30, 2010, at 11:14 PM, upendra.allu () wipro com wrote:

> Is It that one pcap file only supports only one DLT?

Yes.

If you have a sufficiently recent version of libpcap on your machine, "man pcap-savefile" will describe the pcap 
format; you can also see it described at

        http://wiki.wireshark.org/FileFormatReference/libpcap

In both of those places you can see that a pcap file has only one file header, and the DLT value is in the file header, 
so there's only one DLT value in a pcap file, so a pcap file, by definition, supports only one DLT.

> If yes what is the best way to meet my requirement? I want to decode multiple plug-ins in the same pcap file (without 
> decoding the plug-ins complete stack)

You would have to define a pseudo-protocol that includes a field that indicates which plugin to call, and put a 
pseudo-link-layer header with that field in front of your plugin's data, and then use a single DLT for that 
pseudo-protocol.

(Wireshark was designed to support protocols on a network, not arbitrary artificial file formats.  Attempts to do 
something outside what it was designed for might work, but they aren't going to be as simple as you'd like.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe