This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Where to find documentation of writing an encapsulated file reader

0

Hi I am working on a file reader that can read dump files containing ETSI (Ber encoded) data and .... struggling. Especially when trying to dissect the data. I already implemented a dissector, a simple ber-based reader and a packet-encap file, but the dissection mechanism, and how to call the dissector is still a bit of a mystery to me. Any documentation / examples / tips are welcome.

asked 12 Jul '12, 07:50

Michel's gravatar image

Michel
1222
accept rate: 0%

So what do you mean by "a simple BER-based reader" and "a packet-encap file"? Presumably you have a file that plugs into the Wiretap library to read the file (although if it's just BER-encoded data and the top-level encoding is a SET or a SEQUENCE or a CONTEXT less than 32, there's already code in Wireshark to read it - wiretap/ber.c), and a dissector for the BER-encoded data; is the issue one of connecting the two, so that the contents of the file are dissected by your dissector?)

(12 Jul '12, 19:54) Guy Harris ♦♦

I am trying to create a reader to read a dump file containing ber encoded tlv packets (etsi protocol). The ber.c reader can read some packets from my dump file, but is not capable of reading the entire dump itself, and has some packet size restrictions. So, I have to create a reader of my own.

Furthermore I use the mime_file, packet-mime-encap.c and packet-image-jfif.c as an example to find out how the dissector call mechanism works.

Thus I am in the assumption that I need a packet-etsi-encap.c file to do the trick, but I am not sure if I am on the right track.

(13 Jul '12, 01:35) Michel

One Answer:

0

So what you'd probably need to do here is:

  1. add a new WTAP_ENCAP_ value in wiretap/wtap.h for the packet format your reader provides, and have the reader supply that as the packet encapsulation value;
  2. add a new dissector that recognizes that packet format;
  3. have the dissector register in the "wtap_encap" dissector table with the new WTAP_ENCAP_ value.

answered 13 Jul '12, 18:07

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%