Hi all,
I have a 802.15.4 Packet sniffer, and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.
Now I want to change to output of the packet sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.
Hex decoding a working/correct .pcap file gives me: // this is the file header: d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000 // here comes the frames 58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut> 58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>
The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.
What should I emit from the sniffer-firmware: 1) Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)
2) Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?
Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4-tap I just wanted to make a proof-of-concept with the current format first, - if possible.
Thx in advance for pointers/suggestions /Troels