802.15.4 USBTab frame format
Hi all,
I have my own 802.15.4 Packet Capturing device (the 'sniffer'), and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.
Now I want to change to output of the sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.
Hex decoding a working/correct .pcap file gives me:
// this is the file header:
d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000
// here comes the frames
58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut>
58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>
The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.
So - What excactly should I emit from the sniffer-firmware ?
Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)
Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?
Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4... I just wanted to make a proof-of-concept with the current format first, - if possible.
Thx in advance for pointers/suggestions
/tpt
You state you want to output a "more native Wireshark/PCap format", do you mean pcapng? If so see the wiki page here.
What do you mean by "a USB Tap device"?
And why do you want a USB device for an 802.15.4 sniffer? If the sniffing device happens to plug into your machine via USB, that's irrelevant - USB Ethernet adapters look like other Ethernet adapters, providing Ethernet frames using
DLT_EN10MB, and USB 802.11 adapters look like other 802.11 adapters.Thx for replies both of you. I also think I'm messing up concepts here. :-)
Recap: I have a 802.15.4 sniffer , that happens to be connected (thx Guy) to the PC by USB, and also RF232 in fact. Today I have a python program that collects the frames from the sniffer, and writes a pcap / pcapng file to disk. I can open this file in Wireshark - everything is fine.
In the future, I want to cut the python program, and just emit data from the sniffer (via USB - currently a CDC device), and open/use it in Wireshark directly.
This means : a) that I must emit data from the sniffer in the correct format. Question (from original post) was, is it just the binary identical format from the pcap/pcapng on-disk file-format? b) that I must present the USB device to the OS in the right way. I ...(more)
Update - for Question b) , the best candidates atm looks like:
" Emulation of network connectivity using the RDNIS protocol using the ACM (Abstract Control Model) subclass of CDC. This enables network connections over USB between a Windows host PC and an embedded device, as well as USB Device RNDIS to Ethernet Bridge applications.
Emulation of an Ethernet adapter using the NCM (Network Control Model) subclass of CDC (only available for USB Device). Using CDC (NCM), you can create Ethernet-over-USB (for Linux hosts) applications on Linux-based host systems. "
If you happen to know what direction I should take, please let me know. :-)