Mailing List Archive: Ethereal: dev

Flexible file formats

Index | Next | Previous | View Threaded

pbk3012 at pbk

Dec 22, 2000, 9:05 AM

Post #1 of 7 (186 views)
Permalink

Flexible file formats

Hello ethereal developers.

I have i little question/problem.

I am creating a packet trace (sniffer) function for a series of
routers. The router supports many different interfaces (ISDN/WAN/LAN)
and protcols (IP/TCP/PPP/HLDC....). In what file format should i save
the output in to be as compatible with ethereal as possible. What
format is most flexible?

If no suitable format was available, i was considering to create my own
format and then develop at suitable driver for ETHEREAL. How
complicated is the process of inserting a new format into Ethereal?

Hope you guys can help me.

Peter Dons Tychsen, Intel, Denmark

PS: Love eathereal... cool tool.

-----------------------------------------
Peter Dons Tychsen
Email: donpedro [at] pbk
-----------------------------------------

Gilbert_Ramirez at tivoli

Dec 22, 2000, 9:36 AM

Post #2 of 7 (186 views)
Permalink

Re: Flexible file formats [In reply to]

Probably the best thing to do is to support the pcap format, and to
register when them any link-layer types
that you need that aren't currently known by libpcap. Look at
www.tcpdump.org ; join the tcpdump-workers
mailing list (which treats libpcap issues, too.)

That said, adding a new file format to the wiretap library in Ethereal is
not difficult, but if your tool produces
pcap-compatible files, tools that don't use the library but do use the
libpcap library will be able to read
your traces.

--gilbert

"Peter Dons Tychsen" <pbk3012 [at] pbk>@ethereal.com on 12/22/2000 10:05:07
AM

Please respond to donpedro [at] pbk

Sent by: ethereal-dev-admin [at] ethereal

To: ethereal-dev [at] ethereal
cc:
Subject: [Ethereal-dev] Flexible file formats

Hello ethereal developers.

I have i little question/problem.

I am creating a packet trace (sniffer) function for a series of
routers. The router supports many different interfaces (ISDN/WAN/LAN)
and protcols (IP/TCP/PPP/HLDC....). In what file format should i save
the output in to be as compatible with ethereal as possible. What
format is most flexible?

If no suitable format was available, i was considering to create my own
format and then develop at suitable driver for ETHEREAL. How
complicated is the process of inserting a new format into Ethereal?

Hope you guys can help me.

Peter Dons Tychsen, Intel, Denmark

PS: Love eathereal... cool tool.

-----------------------------------------
Peter Dons Tychsen
Email: donpedro [at] pbk
-----------------------------------------

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev [at] ethereal
http://www.ethereal.com/mailman/listinfo/ethereal-dev

gharris at flashcom

Dec 22, 2000, 2:24 PM

Post #3 of 7 (185 views)
Permalink

Re: Flexible file formats [In reply to]

On Fri, Dec 22, 2000 at 05:05:07PM +0100, Peter Dons Tychsen wrote:
> I am creating a packet trace (sniffer) function for a series of
> routers. The router supports many different interfaces (ISDN/WAN/LAN)
> and protcols (IP/TCP/PPP/HLDC....). In what file format should i save
> the output in to be as compatible with ethereal as possible. What
> format is most flexible?

As Gilbert suggested, libpcap format is probably the best choice. One
of the things that makes it flexible is that libpcap is open source and
actively being developed.

Currently, the link-layer formats it supports (other than those that are
"software-defined", such as DLT_NULL, which is used for loopback
devices) include:

Ethernet

Token Ring

FDDI

SLIP

PPP (several different flavors, depending on what parts of the
header show up; the one you want may be DLT_PPP_SERIAL, which
originally came from NetBSD, and which can be used either for
traffic with a PPP header or for traffic with a Cisco
point-to-point HDLC header as described in section 4.3.1 of RFC
1547)

IEEE 802.11 wireless LAN

donpedro at pbk

Dec 23, 2000, 9:48 AM

Post #4 of 7 (186 views)
Permalink

Re: Flexible file formats [In reply to]

Sounds like pcap is the way to go.

Thanks for your fast response time. These things are funny. I send tons of
mail to big professional network compoanies. = no response or dumb response.

Then i post 1 message on a freeware mailinglist, and i get the response i
need the next day. WOW.

Keep it up.

Peter, Intel, Denmark

----- Original Message -----
From: "Guy Harris" <gharris [at] flashcom>
To: <donpedro [at] pbk>
Cc: <ethereal-dev [at] ethereal>
Sent: Friday, December 22, 2000 10:24 PM
Subject: Re: [Ethereal-dev] Flexible file formats

> On Fri, Dec 22, 2000 at 05:05:07PM +0100, Peter Dons Tychsen wrote:
> > I am creating a packet trace (sniffer) function for a series of
> > routers. The router supports many different interfaces (ISDN/WAN/LAN)
> > and protcols (IP/TCP/PPP/HLDC....). In what file format should i save
> > the output in to be as compatible with ethereal as possible. What
> > format is most flexible?
>
> As Gilbert suggested, libpcap format is probably the best choice. One
> of the things that makes it flexible is that libpcap is open source and
> actively being developed.
>
> Currently, the link-layer formats it supports (other than those that are
> "software-defined", such as DLT_NULL, which is used for loopback
> devices) include:
>
> Ethernet
>
> Token Ring
>
> FDDI
>
> SLIP
>
> PPP (several different flavors, depending on what parts of the
> header show up; the one you want may be DLT_PPP_SERIAL, which
> originally came from NetBSD, and which can be used either for
> traffic with a PPP header or for traffic with a Cisco
> point-to-point HDLC header as described in section 4.3.1 of RFC
> 1547)
>
> IEEE 802.11 wireless LAN

hagbard at physics

Dec 23, 2000, 9:57 AM

Post #5 of 7 (185 views)
Permalink

Re: Flexible file formats [In reply to]

For an even more impressive example of the response time on
open source software, check out

http://www.ethereal.com/lists/ethereal-dev/200011/msg00030.html

and follow the thread.

In a nutshell, I had a problem, sent an email at about 10pm on a Saturday
night complaining about it, and had TWO fixes to my problem checked
into CVS by TWO separate people by 6am Sunday morning.

I wish you luck in your project. It's always good to be able to
capture from more sources. I'd personally love to code an extention to
libpcap to handle sniffing DOCSIS (data over cable system interface
specification) if I could only come across hardware that I thought could
appropriately pull the bits off the wire.

Ed

On Sat, 23 Dec 2000, Peter Dons Tychsen wrote:

> Sounds like pcap is the way to go.
>
> Thanks for your fast response time. These things are funny. I send tons of
> mail to big professional network compoanies. = no response or dumb response.
>
> Then i post 1 message on a freeware mailinglist, and i get the response i
> need the next day. WOW.
>
> Keep it up.
>
> Peter, Intel, Denmark
>
>
> ----- Original Message -----
> From: "Guy Harris" <gharris [at] flashcom>
> To: <donpedro [at] pbk>
> Cc: <ethereal-dev [at] ethereal>
> Sent: Friday, December 22, 2000 10:24 PM
> Subject: Re: [Ethereal-dev] Flexible file formats
>
>
> > On Fri, Dec 22, 2000 at 05:05:07PM +0100, Peter Dons Tychsen wrote:
> > > I am creating a packet trace (sniffer) function for a series of
> > > routers. The router supports many different interfaces (ISDN/WAN/LAN)
> > > and protcols (IP/TCP/PPP/HLDC....). In what file format should i save
> > > the output in to be as compatible with ethereal as possible. What
> > > format is most flexible?
> >
> > As Gilbert suggested, libpcap format is probably the best choice. One
> > of the things that makes it flexible is that libpcap is open source and
> > actively being developed.
> >
> > Currently, the link-layer formats it supports (other than those that are
> > "software-defined", such as DLT_NULL, which is used for loopback
> > devices) include:
> >
> > Ethernet
> >
> > Token Ring
> >
> > FDDI
> >
> > SLIP
> >
> > PPP (several different flavors, depending on what parts of the
> > header show up; the one you want may be DLT_PPP_SERIAL, which
> > originally came from NetBSD, and which can be used either for
> > traffic with a PPP header or for traffic with a Cisco
> > point-to-point HDLC header as described in section 4.3.1 of RFC
> > 1547)
> >
> > IEEE 802.11 wireless LAN
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev [at] ethereal
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>

gram at xiexie

Dec 23, 2000, 11:25 AM

Post #6 of 7 (185 views)
Permalink

Re: Flexible file formats [In reply to]

On Fri, 22 Dec 2000 13:24:07 -0800
Guy Harris <gharris [at] flashcom> wrote:

> On Fri, Dec 22, 2000 at 05:05:07PM +0100, Peter Dons Tychsen wrote:
> > I am creating a packet trace (sniffer) function for a series of
> > routers. The router supports many different interfaces (ISDN/WAN/LAN)
> > and protcols (IP/TCP/PPP/HLDC....). In what file format should i save
> > the output in to be as compatible with ethereal as possible. What
> > format is most flexible?
>
> As Gilbert suggested, libpcap format is probably the best choice. One
> of the things that makes it flexible is that libpcap is open source and
> actively being developed.

As a side note, the current version of the pcap file format should work
just fine for you, but if for some reason you need to change the format of
the headers of the file or its records, be sure to coordinate with
tcpdump-workers, and *never* change the file format w/o updating
the magic number in the file.... or Guy will get very very angry. :)

He's the one who has written all the heuristics in our pcap-support
to determine the version of the pcap file format when it is improperly
specified in the file.

--gilbert

gharris at flashcom

Dec 23, 2000, 12:09 PM

Post #7 of 7 (187 views)
Permalink

Re: Flexible file formats [In reply to]

On Sat, Dec 23, 2000 at 12:25:11PM -0600, Gilbert Ramirez wrote:
> As a side note, the current version of the pcap file format should work
> just fine for you, but if for some reason you need to change the format of
> the headers of the file or its records, be sure to coordinate with
> tcpdump-workers,

The same applies if you need to add a new link-layer type.

(There's a fair bit of hackery, both in the current CVS version of
libpcap and in Wiretap's libpcap support, to cope with the fact that
different OSes have given different link-layer types the *same*
numerical value, making it a bit difficult to read some captures on a
platform other than the one on which the capture was done. I hope to
avoid having to continue to add table entries to cope with that....)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads