Ask Your Question
0

How to creat a pipe?

asked 2017-12-08 03:28:38 +0000

ehehe gravatar image

Question: Wireshark supports a lots of protocols, it is very nice! Howere, any data is exchanged using USB, such as COM3. I can use wireshark to capture the data, but wireshark analysis data in USB, I can just watch the data hex code, I want to wireshark analysis the data in select protocol.

I used a tool which can creat a pipe(\.\pipe\pipe1) and capture data from COMx, when I chose this pipe in wireshark, wireshark only analysis the data exchanging in USB, rigth protocol instead of USB protocol.

Is there any guide for how to write this kind tool, or any other ways to solve question?

Thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-08 13:01:53 +0000

sindy gravatar image

This is several questions in one.

The best way to feed Wireshark with data using a pipe is to use the extcap API, which allows Wireshark to learn the properties of the capturing interface, packet format etc. and indicate to the capturing process which pipe to use. You can do that manually as well but it is not convenient for repeated use.

Regardless how you start feeding Wireshark through a pipe, the data fed to the pipe have to follow the pcap or, which is a recent improvement, pcapng format.

And regardless whether you encapsulate your application data into a pcap(ng) record directly or whether they are encapsulated in e.g. USB URBs, you need a piece of software called dissector to convert the binary data of a given protocol into a human-readable form. The dissector needs to be pointed to the portion of data it is responsible for, which is usually accomplished by means of so dissector tables.

The instruction how to write a dissector and hook it to the right place of the dissector tree can be found here. You can also use the Lua API for Wireshark for rapid prototyping of dissectors - look here.

Specially for generic analysis of serial connections, it makes sense to make the transport layer PDU (Protocol Data Unit) a single byte, because it is the only way how to provide each byte with its own timestamp. If you do that, you'll likely have to use reassembly to complete the application layer PDUs (like e.g. modem AT commands).

Also, if serial connections are what you are really interested in, you may use virtual serial ports linked to Serial over LAN adaptors and capture the IP communication between your machine and the adaptor.

edit flag offensive delete link more

Comments

Thanks for your so much detailed answer firstly!

You write a lot, and I basically understand how to do, it means I have to learn and do a lot. I will ask you much (after have searched in internet), hope you do not be impatient, thanks again!!

ehehe gravatar imageehehe ( 2017-12-12 06:28:38 +0000 )edit

Hi,

I have write a tool to open a pipe and send data to Wireshark in pcap format. It works good in some protocols, but does not work in some protocol those can find and enable in Wireshark but do have encapsulation type( http://www.tcpdump.org/linktypes.html ) like e.g. DNP3.0 protocol.

How can I do?

Thanks.

ehehe gravatar imageehehe ( 2018-01-02 13:50:55 +0000 )edit

I assume "it does not work" means that Wireshark displays these packets but does not dissect their payload, i.e. it displays everything after the Ethertype value as "data".

If not and these packets have no Ethernet header (MAC addresses, ethertype etc.) at all, then the first issue is that .pcap format does not support packets (frames) of several different encapsulations - all must be of the same type. So even if your packets are not Ethernet ones, if you specify the encapsulation type in the .pcap header as Ethernet, Wireshark tries to dissect them as Ethernet ones.

Can you share an example of a pcap file with these packets? On this site, "share" means "publish the file using cloudshark.org or any plain file sharing service and edit your Question with a login-free link to the file". Or put the link into a comment.

sindy gravatar imagesindy ( 2018-01-02 14:15:30 +0000 )edit

cloudshard.org There is no free space, maybe I do not used correctly. In this link https://drive.google.com/folderview?i... is the main code file in my project and a .exe file. In the file BacnetCapture.cs line 52 you can see it used the encapsulation type 165(165 = bacnet mstp). This tool can capture the data exchanged in serial port (COMx), and sent to Wireshark, then Wireshark will analysis the data in BACnet protocol not USB protocol. But such as DNP3.0, these protocol do not have encapsulation type(I can not find in http://www.tcpdump.org/linktypes.html), so I do not know how to do?I want Wireshark analysis the data in DNP3.0.

ehehe gravatar imageehehe ( 2018-01-03 02:39:54 +0000 )edit

Housekeeping - cloudshark.org allows to upload only pcap(ng) files, no source code. What I was asking you for was the generated capture file, not the source code, hence I've suggested cloudshark.org as the first choice. But I've got what I needed to know from what you wrote.

To the topic:

There are several main reasons why no "registered" encapsulation type exists for a protocol:

  • it is too new

  • it is too obscure

  • it is usually found in the wild as an application protocol using some other one (like IP or Ethernet) as transport layer

For such protocols, you have two basic options:

  • to provide a pseudo-header of a protocol which is typically used as transport layer, and if you are really lucky, with a selector value telling anyone, not just Wireshark, that the payload is the protocol which you need to dissect (like ethertype 0x800 indicating ...

(more)
sindy gravatar imagesindy ( 2018-01-04 17:54:44 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-08 03:28:38 +0000

Seen: 350 times

Last updated: Dec 08 '17