[ntar-workers] Extending Wireshark libpcap format support,
or start using pcapng now ?!?
Pekka Pietikainen
pp at ee.oulu.fi
Thu Sep 27 11:55:59 GMT 2007
On Thu, Sep 27, 2007 at 01:10:42PM +0200, Ulf Lamping wrote:
> Hi List!
>
> I have demand for storing some meta information into the capture file and
> later display it in Wireshark. This information is available in a separate
> capture tool and currently cannot be transferred to Wireshark to be
> displayed :-(
>
> I see two possible ways to achieve this:
>
> a) extend libpcap format by using a new DLT_ value and putting the meta
> info somehow into it (e.g. by putting some TLV information between the
> b) bringing pcapng http://www.winpcap.org/ntar/default.htm to life. I
> guess that this would solve the problems mentioned above, but I have no
Evil hack of the day that may be useful: Don't add a new DLT_ value, instead
munge your captured packets to look like something that already can be
parsed. Fake VLAN tags are great for separating capture interfaces!
No need to modify existing tools to handle them, you can use bpf filters etc.
Sure it's evil. But often effective.
Oh. If you add a new DLT_ value, having it in a way that is extensible
+ has a way of saying "Here's the raw packet data. It's plain old
DLT_EN10MB". And the next one might be 802.11 and the next one 802.11 with
a radiotap header.
More information about the ntar-workers
mailing list