Wireshark mailing list archives

Re: Annotating capture files and/or pcap pre-processing

From: Hadriel Kaplan <HKaplan () acmepacket com>
Date: Thu, 11 Nov 2010 20:27:51 -0500


On Nov 11, 2010, at 7:30 PM, Jouni Malinen wrote:

This looks somewhat better than the picture I got from the wiki page
(http://wiki.wireshark.org/Development/PcapNg) which seemed to
indicate that only Ethernet link type would be supported. Though, the
per-packet opt_comment part would likely be the area that I would
really need to get shown in Wireshark.. And with that, the
"materialize" would probably be defined as "getting per-packet
opt_comment showing up in Wireshark" in near future. Looks like I'll
need to take a closer look at the current implementation then.


If you do it, please make it agnostic to the file format, or at least easy to patch for other file formats.  Wireshark 
supports reading/writing multiple file formats, some of which also support per-packet comments, so it would be really 
nice to be able to let them all do so without too much work.  Just my 2 cents.

This would likely not be suitable for the
annotation-as-a-bogus-frame-from-kernel part, so the question about
radiotap/IEEE 802.11 frame extension with vendor-specific contents
(OUI/subtype used) would probably still be something that would be
nice to get resolved. For expert info, I'd guess it could be encoded
somehow in opt_comment.


I was wondering if anyone else had that type of idea - I've often thought Wireshark could just ask IEEE for an OUI (or 
ask Cace for a number within Cace's OUI), and make fake Ethernet frames using that OUI in the src/dest MAC addresses to 
contain meta-data such as comments.  But it's really a hack, and would only work for capture files containing frame 
types that have MAC addresses.  Seems like a bad idea in the long term. :(

-hadriel

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Annotating capture files and/or pcap pre-processing Jouni Malinen (Nov 11)
- Re: Annotating capture files and/or pcap pre-processing Guy Harris (Nov 11)
  - Re: Annotating capture files and/or pcap pre-processing Jouni Malinen (Nov 11)
    - Re: Annotating capture files and/or pcap pre-processing Hadriel Kaplan (Nov 11)
    - Re: Annotating capture files and/or pcap pre-processing Guy Harris (Nov 11)
    - Re: Annotating capture files and/or pcap pre-processing Hadriel Kaplan (Nov 11)