Re: Application-layer capture files

[Jaap Keuter <jaap.keuter () xs4all nl>]

On 09/23/2010 12:00 AM, Hadriel Kaplan wrote:
> Howdy,
> For a few years my company's provided a free offline-tool to convert from an internal SIP message capture format of 
> SIP messages received by our system parsers, to pcap format.  This tool does the classic trick of creating fake 
> Ethernet+IP+UDP headers and formatting the thing as a pcap.  It made sense to do this, because it lets us capture the 
> real IP:port info in the fake IP/UDP headers, so that wireshark displays them and the user can sort/filter based on 
> ip and do conversation analysis, etc.  We don't want to do real raw packet captures as they're received off-the-wire, 
> because SIP could run over TLS or IPsec and would only show encrypted data.
>
> This all worked fine when everything was SIP over UDP over IPv4.  But SIP over TCP exists as well, and even over 
> IPv6.  Over TCP in particular, when "capturing" at the application layer you don't have access to sequence numbers 
> and such, and recording them as UDP packets is really misleading (and screws up).  Furthermore, we'd like to change 
> our systems to be able to create a file format and encap type wireshark will (someday) understand natively.
>
> I could write a patch for wireshark to handle a new WTAP_ENCAP_RAW_SIP_SOCKET or some such, with a small header that 
> records the ip:port:transport info we do have at the app layer, and dissector that handles that before calling SIP's 
> dissector.  But it occurs to me we can't be the first ones with this problem - things like HTTP and other application 
> layer parsers/apps must want the ability to "capture" into a file like pcap at their layer too, so is there some 
> existing solution (encap format, file format, dissector, whatever) that I'm overlooking?  I've tried to check the 
> source code of every one that looks like it might do it, but I can't find one.
>
> -hadriel

Hi,

I understand what you're doing in this matter (I do a similar thing in our 
software), still I doubt it's a good idea to strip out the underlying network 
layer information. That information is needed in Wireshark to get a grasp of the 
nodes involved, conversations between endpoints, etc. All kinds of analysis 
functions are based on that. Making it a pure application level dissection 
strips away what makes Wireshark Wireshark, a *network* traffic analyzer, not an 
application log viewer.

I'm not sure why UDP encapsulation won't work for you in this case. You most 
likely tap your SIP messages between the SIP engine and the protocol stack. 
There you have complete SIP messages, ideal for putting in UDP encapsulated 
payloads.
Otherwise a fake TCP engine could help you out in writing the capture files, to 
keep the stream concept going, although it's not the real network traffic.

Thanks,
Jaap


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe