mailing list archives
Re: Enhanced PCAP-NG dissection
From: Brandon Carpenter <hashstat () pnnl gov>
Date: Thu, 18 Apr 2013 13:01:39 -0700
On 04/17/2013 4:22 PM, Guy Harris wrote:
Yes, sorry. I was unfamiliar with editcap (and just educated myself).
I now see the problem. And I was wrong in my response anyway. My
change passes the whole PCAP-NG block as if it were the packet data
which is something that would cause conversions with editcap to fail
I'm not talking about saving/exporting from Wireshark (or "-r" and "-w" from
I'm talking about using *editcap*, which includes no dissectors and should not include any dissectors, to do that form
And I agree with everything else you said, too (well, mostly anyway).
So what if we allow wiretap readers the ability to pass on a list of
buffers, each with a type. Then dissectors and writers can "look"
through the list and use only what it is able and ignore items it
doesn't understand or does not want to process. So pcapng_read() could
return something like the following (using Pythonic syntax for lists and
1. [(PCAPNG_BLOCK, (SHB, header data))]
2. [(PCAPNG_BLOCK, (IDB, interface data))]
3. [(PCAPNG_BLOCK, (NRB, name options)), (NAME, (ip address, names,
4. [(PCAPNG_BLOCK, (EPB, packet options)), (FRAME, (wtap_pkthdr,
5. [(PCAPNG_BLOCK, (EPB, packet options)), (FRAME, (wtap_pkthdr,
6. [(PCAPNG_BLOCK, (IDB, interface data))]
7. [(PCAPNG_BLOCK, (EPB, packet options)), (FRAME, (wtap_pkthdr,
In libwireshark, the dissector would store comments from the first item,
a section header block, but would not display it in the packet list.
Item 2, an interface descriptor block, might append the interface data
to a separate interface list and also not add anything to the packet
list. Item 3, a name resolution block, would provide the name
resolution, which could be added to the names list while also ignoring
the packet list. With item 4, there is finally data to append to the
packet list with the addition of metadata, in the form of PCAP-NG
options, which can also be displayed. An expert dissector could be
enabled to also show the PCAP-NG blocks in the packet listing, along
with detailed dissection (a great tool for learning PCAP-NG or for
exploring new block types and options). When the data is transformed to
another format, as with editcap, unknown items can be ignored.
I think my head is about to explode now. Time for lunch.
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
- Enhanced PCAP-NG dissection Brandon Carpenter (Apr 17)
- <Possible follow-ups>
- Re: Enhanced PCAP-NG dissection Brandon Carpenter (Apr 18)