This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark dump for serial connections in unix ??

0

Is there a command to write a wireshark dump for serial connections in unix machine ? & how to read that data ?

asked 21 Sep '16, 23:08

SohanRawat's gravatar image

SohanRawat
2112
accept rate: 0%

Do you have in mind dumping/capturing of IP packets sent over SLIP & PPP (i.e. IP over serial channel) lines, or dumping of raw serial traffic on those interfaces?

(22 Sep '16, 00:27) sindy

@Sindy : dumping of raw serial traffic on those interfaces

(22 Sep '16, 00:32) SohanRawat

One Answer:

0

There is no direct way at the moment. For serious analysis, you would need to track not only the value of each byte sent but also its timestamp, maybe also the state of the control lines like RTS, CTS, DSR, ... so the capture file format would require quite a lot of extra fields, leaving aside the dissection of the captured data in Wireshark.

But if you can live with less accuracy regarding timing and control signals, I suggest you to insert a pair of back-to-back connected Serial-over-LAN adaptors into your serial connection and use Wireshark (or tcpdump) to capture the TCP session between those two. The adaptors usually buffer the incoming traffic to save overhead, so as long as the serial data are coming in continuously enough, the adaptor accumulates them into a packet and only sends the packet when it reaches the MSS size; if longer time than some tens of milliseconds elapses since the last byte has come in, the packet is sent (with a PSH flag set) even if there is still free space available in it.

If you have enough serial ports on the machine where you capture, you may connect the first one (to which your communication application is bound) to the second one using a null modem cable, run the SoL application on the second and third serial adaptor and let them talk to each other over the loopback interface (127.0.0.1), and connect the original serial cable (previously connected to the first port) to the third one.

The above is just an illustration of the principle; actually, you may connect your application to a virtual serial port which, instead of connecting to an external SoL adaptor, connects across the loopback to a local SoL application connected to the original port, so no additional hardware ports are required.

answered 22 Sep '16, 00:53

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 22 Sep '16, 00:57

@Sindy , Is there any planning from wireshark regarding the direct capturing for the serial communication dump for the next releases ?

(22 Sep '16, 01:45) SohanRawat

Not that I know of, note that wireshark doesn't actually make the capture itself, that's performed by an OS specific capture library, e.g. libpcap, WinPcap or npcap and all of those are network capture libraries.

Wireshark capturing capabilities can be extended using extcap utilities that are separate executables than are launched by Wireshark to perform specific capture tasks and the pass the captured traffic back to Wireshark in pcap format, so that might be an avenue you wish to explore.

(22 Sep '16, 02:51) grahamb ♦

To give you a better overview: such an extension of Wireshark and the capturing mechanism would have to include the following steps:

  • decide what would be the unit of captured data - a single byte is most logical but most expensive in terms of overhead, a contiguous sequence of bytes leads to loss of timing information accuracy and may complicate things if there are no gaps between the bytes at all.

  • depending on the above, decide how to handle parity errors

  • decide what to do with information regarding the state of control lines, whether to attach their instant status as an additional information to each byte, or record status changes independently from the serial data as events

  • how to accommodate the above into pcapng format (pcap is definitely not flexible enough)

  • modify the serial line driver so that it would provide this information to some output data stream read by libpcap or an extcap aplication (which both have to generate the pcapng output)

  • create a set of dissectors for Wireshark which would render the raw information from the capture into a human readable form and be able to eventually invoke higher layer dissectors for cases where a SLIP or PPP runs over the line

So this is far from simple, and far from how network capturing and analysis typically works.

What is your use case?

(22 Sep '16, 04:47) sindy