Ask Your Question
0

LoRaWan PCAP, wireshark not able to interpret

asked 2019-09-05 12:43:03 +0000

apku04 gravatar image

having trouble getting wireshark to open my pcap file. I have wireshark 3.0.3, installed and I am using LoRaWan tap as defined here: https://github.com/eriknl/LoRaTap

my pcap header looks like this:

pcap_header[0] = 0xa1; //PCAPH_MAGIC_NUM
pcap_header[1] = 0xb2; //PCAPH_MAGIC_NUM
pcap_header[2] = 0xc3; //PCAPH_MAGIC_NUM
pcap_header[3] = 0xd4; //PCAPH_MAGIC_NUM
pcap_header[4] = 0x03; // PCAPH_VER_MAJOR
pcap_header[5] = 0x00; // PCAPH_VER_MINOR
pcap_header[6] = 0x00; // PCAPH_THISZONE
pcap_header[7] = 0x00; // PCAPH_SIGFIGS
pcap_header[8] = 0xFF; // //PCAPH_SNAPLEN_1
pcap_header[9] = 0xFF; // //PCAPH_SNAPLEN_1
pcap_header[10] = 0x01; // LORATAB1
pcap_header[11] = 0x0E; // LORATAB2

my loraTap header looks like this:

loratap_header.lt_length = sizeof(loratap_header);
loratap_header.lt_version = 0;
loratap_header.channel.bandwidth = 125000;
loratap_header.channel.frequency = p->freq_hz;
loratap_header.channel.sf = p->datarate;
loratap_header.lt_padding = 0;
loratap_header.rssi.current_rssi = p->rssi;
loratap_header.rssi.max_rssi = p->rssi;
loratap_header.rssi.snr = p->snr;
loratap_header.rssi.packet_rssi = p->rssi;
loratap_header.sync_word = 0x34;

when I receive a LoRa frame I create a "loratap_header" as specified from "Eriknl, git" and dump the frame after it. everything is dumped to a xxxx.pcap by "fwrite(...)" in C code

when I open the pcap i get the following error

"The file "The file "log_trace.pcap" contains record data that Wireshark doesn't support. (pcap: network type 1208090624 unknown or unsupported)"

any idea of this error? wireshar should support LoRawan according to https://www.wireshark.org/docs/dfref/...

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-05 14:04:58 +0000

Pascal Quantin gravatar image

Hi,

your libpcap header format seems wrong (for example fields like major and minor versions are 2 bytes long, not 1, the network type is 4 bytes long and not 2 bytes long, etc...). Please refer to https://wiki.wireshark.org/Developmen... for a description of the format, and pay attention to fields that are more than 1 byte long (guint16, guint32...): you should write them properly so that Wireshark can guess your machine endianness.

edit flag offensive delete link more

Comments

your libpcap header format seems wrong

That's because it IS wrong, for the reasons you specify.

Please refer to https://wiki.wireshark.org/Developmen... for a description of the format

Or to the closest thing to an official specification, namely either the text version or the HTML version of the pcap-savefile(5) man page. (One of these days there should be a specification in I-D format, and maybe it should even become an RFC, just as there's an RFC for the Sun snoop capture format.

Guy Harris gravatar imageGuy Harris ( 2019-09-05 19:15:40 +0000 )edit

I thank both for your input,

I have one question thou; I can see that the file should include:

  1. pcap_hdr
  2. pcaprec_hdr raw_data ....

but what about the pcaptap_hdr as mentioned here: https://github.com/eriknl/LoRaTap

I thought that the pcaptap_hdr should accompany each rawdata frame and not the pcaprec_hdr as mentioned in those spec you both provided ?

or is it

[pcap_hdr] [pcaprec_hdr] [pcaptap_hdr] [raw_data] ....... [pcaprec_hdr] [pcaptap_hdr] [raw_data] .. and so on ?

apku04 gravatar imageapku04 ( 2019-09-06 05:43:11 +0000 )edit

At the beginning of your file you should have a pcap_hdr_t structure. Then for each packet you should have a pcaprec_hdr_t structure followed by the loratap_header_t structure and the raw data. So a pcap with 2 packets should look like this:

[pcap_hdr_t][pcaprec_hdr_t][loratap_header_t][raw_data][pcaprec_hdr_t][loratap_header_t][raw_data]

Pascal Quantin gravatar imagePascal Quantin ( 2019-09-06 07:23:32 +0000 )edit

I.e., pcaprec_hdr_t is the format of the header that is at the beginning of every single record in every single pcap file, regardless of the link-layer type.

What follows each pcaprec_hdr_t is a link-layer header of the type described, for the link-layer type in the file, in the list of link-layer header types for pcap and pcapng files. For LINKTYPE_LORATAP (270), that page says what follows the pcaprec_hdr_t is a LoRaTap header. After that comes whatever follows that.

Guy Harris gravatar imageGuy Harris ( 2019-09-06 07:37:01 +0000 )edit

got it working now thanks both :)

apku04 gravatar imageapku04 ( 2019-09-06 08:02:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-05 12:43:03 +0000

Seen: 1,923 times

Last updated: Sep 05 '19