Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-02-20 22:09:25 +0000

johnthacker gravatar image

The advice in the Wiki about "How to Dissect Anything" is your best bet here.

There is no link-layer type used in pcap or pcapng for Q931 by itself. However, you can use one of the private use USER link types from 147 to 162.

text2pcap -E user3 q931.txt q931.pcapng

(or text2pcap -l 150 q931.txt q931.pcapng)

You can then tell your personal version of Wireshark to dissect that particular User DLT as you wish, by using the user DLT. In your case, you would then configure DLT 150 to use the q931 dissector.

The disadvantage, as this is a private use data link type, is that if you share the file with someone else, they will also have to configure Wireshark similarly to read it, unlike using the LDAP link layer type.

The advice in the Wiki about "How to Dissect Anything" is your best bet here.

There is no link-layer type used in pcap or pcapng for Q931 by itself. However, you can use one of the private use USER link types from 147 to 162.

text2pcap -E user3 q931.txt q931.pcapng

(or text2pcap -l 150 q931.txt q931.pcapng)

You can then tell your personal version of Wireshark to dissect that particular User DLT as you wish, by using the user DLT. In your case, you would then configure DLT 150 to use the q931 dissector.

The disadvantage, as this is a private use data link type, is that if you share the file with someone else, they will also have to configure Wireshark similarly to read it, unlike using the LDAP link layer type.

_edit_: Another option is to use the WIRESHARK_UPPER_PDU link layer type, with text2pcap -E wireshark-upper-pdu -P q931 q931.txt q931.pcapng or text2pcap -l 252 -P q931 q931.txt q931.pcapng

(If you enter text2pcap -E with nothing else, it will list all possible encapsulations and their descriptions.)

text2pcap -P <dissector> is supposed to automatically set the link layer type to WIRESHARK_UPPER_PDU, but it seems like that's currently broken.

The WIRESHARK_UPPER_PDU type adds some metadata that tells Wireshark what dissector to run to process the following data. It makes a slightly larger file, but has the advantage that anyone else opening the file in Wireshark or tshark can make it work. Non-Wireshark programs that read pcaps still probably can't deal with it, but they can perhaps see the metadata.