Ask Your Question
0

802.15.4 USBTab frame format

asked 2019-04-23 08:26:08 +0000

tpt gravatar image

updated 2019-04-23 09:04:20 +0000

Hi all,

I have my own 802.15.4 Packet Capturing device (the 'sniffer'), and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.

Now I want to change to output of the sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.

Hex decoding a working/correct .pcap file gives me:

// this is the file header:
d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000
// here comes the frames
58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut>
58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>

The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.

So - What excactly should I emit from the sniffer-firmware ?

  1. Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)

  2. Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?

Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4... I just wanted to make a proof-of-concept with the current format first, - if possible.

Thx in advance for pointers/suggestions

/tpt

edit retag flag offensive close merge delete

Comments

You state you want to output a "more native Wireshark/PCap format", do you mean pcapng? If so see the wiki page here.

grahamb gravatar imagegrahamb ( 2019-04-23 10:16:41 +0000 )edit

Now I want to change to output of the sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device.

What do you mean by "a USB Tap device"?

And why do you want a USB device for an 802.15.4 sniffer? If the sniffing device happens to plug into your machine via USB, that's irrelevant - USB Ethernet adapters look like other Ethernet adapters, providing Ethernet frames using DLT_EN10MB, and USB 802.11 adapters look like other 802.11 adapters.

Guy Harris gravatar imageGuy Harris ( 2019-04-23 19:29:23 +0000 )edit

Thx for replies both of you. I also think I'm messing up concepts here. :-)

Recap: I have a 802.15.4 sniffer , that happens to be connected (thx Guy) to the PC by USB, and also RF232 in fact. Today I have a python program that collects the frames from the sniffer, and writes a pcap / pcapng file to disk. I can open this file in Wireshark - everything is fine.

In the future, I want to cut the python program, and just emit data from the sniffer (via USB - currently a CDC device), and open/use it in Wireshark directly.

This means : a) that I must emit data from the sniffer in the correct format. Question (from original post) was, is it just the binary identical format from the pcap/pcapng on-disk file-format? b) that I must present the USB device to the OS in the right way. I ...(more)

tpt gravatar imagetpt ( 2019-04-25 08:35:05 +0000 )edit

Update - for Question b) , the best candidates atm looks like:

" Emulation of network connectivity using the RDNIS protocol using the ACM (Abstract Control Model) subclass of CDC. This enables network connections over USB between a Windows host PC and an embedded device, as well as USB Device RNDIS to Ethernet Bridge applications.

Emulation of an Ethernet adapter using the NCM (Network Control Model) subclass of CDC (only available for USB Device). Using CDC (NCM), you can create Ethernet-over-USB (for Linux hosts) applications on Linux-based host systems. "

If you happen to know what direction I should take, please let me know. :-)

tpt gravatar imagetpt ( 2019-04-25 08:51:49 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-04-25 10:07:31 +0000

grahamb gravatar image

updated 2019-04-25 10:09:59 +0000

We already have an answer for this issue; extcap.

From the man page:

The extcap interface is a versatile plugin interface that allows external binaries to act as capture interfaces directly in wireshark. It is used in scenarios, where the source of the capture is not a traditional capture model (live capture from an interface, from a pipe, from a file, etc). The typical example is connecting esoteric hardware of some kind to the main wireshark app.

This is currently used, among other things, for the Nordic Semiconductor nRF Sniffer for 802.15.4.

edit flag offensive delete link more

Comments

Thx, I can certainly modify my existing python to this format. This will be a very fast solution, too.

Though: As the extcap doc mentions, that this is for connecting "esoteric hardware" to Wireshark. Original intention of this post was to make my hardware non-esoteric.

tpt gravatar imagetpt ( 2019-04-25 11:42:30 +0000 )edit

For other readers: This link is good, too: https://www.wireshark.org/docs/wsdg_h...

This solution is actually quite nice, because it lets me specify how Wireshark should generate a simple GUI for configuring my device (selection of which frequency to use, etc).

tpt gravatar imagetpt ( 2019-04-25 12:00:59 +0000 )edit

About the only thing less "esoteric" than an extcap interface is an interface directly supported by libpcap.

Libpcap supports capturing on native network interfaces, with the capturing taking place the the OS's capture mechanism (which is different on different OSes - libpcap was created by taking tcpdump's code to handle different capture mechanisms on different OSes and making it into a library usable not only by tcpdump but by other programs).

It was later changed to allow other types of devices, that aren't attached to the main OS networking stack and capture mechanism, to be captured on as well; one of the first such device types was the "DAG cards" from Endace.

Such a device could, in principle, be used by any program that uses libpcap, including but not limited to tcpdump, dumpcap, etc..

However:

  1. the mechanism for adding other types of devices to libpcap isn't currently ...
(more)
Guy Harris gravatar imageGuy Harris ( 2019-04-25 18:46:23 +0000 )edit

Thx for clarifying this :-)

/tpt

tpt gravatar imagetpt ( 2019-04-26 06:48:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-04-23 08:26:08 +0000

Seen: 920 times

Last updated: Apr 23 '19