Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rs232 dissection?

From: Guy Harris <guy () alum mit edu>
Date: Fri, 10 Feb 2012 13:10:20 -0800

On Feb 10, 2012, at 12:38 PM, eymanm wrote:


I'm looking into using wireshark to dissect rs232 trafic. No Ethernet. Data is organised in 64-bit packets. Can 
somebody weigh if this is doable, and if so, suggest a brief implementation plan?


As long as the 64-bit packets are written in a file format that Wireshark can understand, it should be possible to make 
Wireshark dissect the packets.

To *capture* the packets in Wireshark would require some more work.

As for the file format, you could:

        use one of the USERn link-layer type values in a pcap or pcap-NG file, and set up your dissector to handle that 
USERn type;

        get a link-layer header type value officially assigned, by sending a request to tcpdump-workers () lists 
tcpdump org (and supplying a description of the packet format or a link to that specification), use it in a pcap or 
pcap-NG file, add a WTAP_ENCAP_ value for your packets, and modify Wireshark to map that link-layer header type value 
to the WTAP_ENCAP_ value, and have your dissector register for that WTAP_ENCAP_ value;

        use your own file format, add a WTAP_ENCAP_ value for your packets, add code to read that file format using 
that WTAP_ENCAP_ value,  and modify Wireshark to map that link-layer header type value to the WTAP_ENCAP_ value, and 
have your dissector register for that WTAP_ENCAP_ value.

The first of those minimizes the number of changes to Wireshark, but means that the support for your protocol cannot be 
enabled by default in an official Wireshark release (Wireshark deliberately *avoids* wiring the WTAP_ENCAP_USERn values 
to any protocol, so that users are free to use them as they choose), and means there's no guarantee that your files 
will be readable by default in anybody else's Wireshark.

The second of those requires more work than the first but less work than the third, and means that the support for your 
protocol can be enabled by default in an official Wireshark release.

The third of those requires additional work.

I'd recommend the first or second - the first if you're only using it yourself, the second if you want to exchange 
captures with other people.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: