# Revision history [back]

### 802.15.4 USBTab frame format

Hi all,

I have a 802.15.4 Packet sniffer, and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.

Now I want to change to output of the packet sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.

Hex decoding a working/correct .pcap file gives me: // this is the file header: d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000 // here comes the frames 58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut> 58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>

The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.

What should I emit from the sniffer-firmware: 1) Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)

2) Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?

Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4-tap I just wanted to make a proof-of-concept with the current format first, - if possible.

Thx in advance for pointers/suggestions /Troels

### 802.15.4 USBTab frame format

Hi all,

I have a 802.15.4 Packet sniffer, and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.

Now I want to change to output of the packet sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.

Hex decoding a working/correct .pcap file gives me: me:

// this is the file header:
d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000
// here comes the frames
58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut>
58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>


The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.

What should I emit from the sniffer-firmware: 1) sniffer-firmware:

1. Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)

2)

2. Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?

Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4-tap I just wanted to make a proof-of-concept with the current format first, - if possible.

Thx in advance for pointers/suggestions /Troels

### 802.15.4 USBTab frame format

Hi all,

I have a 802.15.4 Packet sniffer, and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.

Now I want to change to output of the packet sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.

Hex decoding a working/correct .pcap file gives me:

// this is the file header:
d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000
// here comes the frames
58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut>
58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>


The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.

So - What excactly should I emit from the sniffer-firmware:sniffer-firmware ?

1. Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)

2. Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?

Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4-tap I just wanted to make a proof-of-concept with the current format first, - if possible.

Thx in advance for pointers/suggestions /Troels

### 802.15.4 USBTab frame format

Hi all,

I have a my own 802.15.4 Packet sniffer, Capturing device (the 'sniffer'), and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.

Now I want to change to output of the packet sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.

Hex decoding a working/correct .pcap file gives me:

// this is the file header:
d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000
// here comes the frames
58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut>
58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>


The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.

So - What excactly should I emit from the sniffer-firmware ?

1. Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)

2. Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?

Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4-tap I just wanted to make a proof-of-concept with the current format first, - if possible.

Thx in advance for pointers/suggestions /Troels

### 802.15.4 USBTab frame format

Hi all,

I have my own 802.15.4 Packet Capturing device (the 'sniffer'), and a python program that collects the frames, and emits a pcap file, which can be analyzed in WireShark. This works fine.

Now I want to change to output of the sniffer firmware to a more native Wireshark/PCap format, and just let Wireshark start a USB Tap device. But I have trouble finding out (/finding the specs on) what exactly to send.

Hex decoding a working/correct .pcap file gives me:

// this is the file header:
d4c3b2a1-0200-0400-00000000-00000000-ffff0000-c3000000
// here comes the frames
58989c5c-b36b0c00-5f000000-5f000000-01e2<....cut>
58989c5c-336c0c00-5f000000-5f000000-01e2<....cut>


The 'c3000000' is the DLT_IEEE802_15_4_WITHFCS and is only issued once: in the file-header.

So - What excactly should I emit from the sniffer-firmware ?

1. Excaclty the same as above? Possibly emitting the "file-header" every 5 seconds, so WireShark can know wich DLT type we are talking about. ... or before each frame , if I want to waste the bandwith on that :-)

2. Is there another encapsulation, that I'm not aware of , when live-streaming from a device, as opposed to reading from a file?

Future: I am aware of the newer/better format of the DLT_IEEE802_15_4_TAP here: https://github.com/jkcko/ieee802.15.4-tap I just wanted to make a proof-of-concept with the current format first, - if possible.

Thx in advance for pointers/suggestions /Troelspointers/suggestions

/tpt