Problem with generation of Pcap traces for Wireshark through Libpcap

[Johan Mazel <johan.mazel () gmail com>]

Hi
I'm trying to use libpcap to generate some packets traces.
I want these traces to be fully usable in Wireshark.
Unfortunately my traces are not fully usable by Wireshark, i.e.: Wireshark
cannot recognize each protocol inside.
I tried to find a reason for this phenomenon and I think I found it.

I'm using Ubuntu 9.04, libpcap0.8 version 1.0.0-1 and Wireshark
1.0.7-1ubuntu1.

My program work like this:
-I initialize my process of capture on my network interface (eth0) through
these 2 functions : pcap_create, pcap_activate (I also use some function
like pcap_set_timeout, pcap_set_direction but this is not really relevant).
-I initialize my process of writing into the file through these 2 functions
: pcap_create, pcap_dump_open.
-I capture a packet with pcap_next_ex funtion and then, I dump it into the
file through the pcap_dump function.
-I close my capture file with the pcap_dump_close function.

And then, I realize a capture with both Wireshark and my little piece of
code at the same time.
Then, I save into a file the result of the Wireshark capture in pcap format.

It is at this point that the problem occurs, Wireshark cannot parse my
traces. It only detect the timestamps.

I looked inside the 2 files with an hexadecimal editor.
The structure is the following one: the first 24 bytes of the file are the
ones of the header. And each packet is just dumped right after the previous
one.

I found out some differences between my trace and the one from Wireshark.
First, each packet timestamp is different, this is probably caused by the
fact that the two programs cannot capture the same packets at the exact same
time.

But there is another difference that if it is corrected allow me to fully
use my trace with Wireshark.
The 21st byte of the packet have the value 01 in my Wireshark tracefile and
00 in my own tracefile. This IS the difference.
> From what I've deduced, this value is supposed to tell Wireshark the type of
datalink layer is used.
I'm guessing that 01 means Ethernet. I also tried some other values and I
found out that 06 is Token Ring, 07 ARCnet, etc...
In Wireshark, you can see the difference in the GUI: for example, if you
capture an ARP packet over ethernet, the 9th line in the frame of data (the
one with the timestamps, etc...) is supposed to be: "Protocols in frame:
eth:arp".
If I open one my traces with Wireshark, I get: "Protocols in frame:
null:data".

My question is: did I miss a function is the pcap library that allow me
generate my perfect tracefile ?
If it is the case, what is the name of this wonderful function ? :)
Or is it a bug ?

Thanks for your time.
Johan Mazel
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.