[tcpdump-workers] Request for new DLT
Hi all, Anders Broman, Wireshark core developer, is currently designing an export functionality for PDUs and would need a DLT allocated for this new functionality. You will find below the email he tried to send to this mailing list a few days ago and that got bounced. I hope mine will go through :) Best regards, Pascal. -Original Message- From: Anders Broman Sent: den 16 maj 2013 16:04 To: 'tcpdump-workers@lists.tcpdump.org' Subject: RE: Request for new DLT Hi, I would need a DLT for a wrapper around higher level PDU's or per-packet DLT:s the format is multipurpose and consists of a number of TLV:s proceeding the actual PDU. There are TLV:s which describes which protocol the PDU is and meta data such as IP address and port (if the transport protocol(s) are striped off). The format can be used by logging functions in various nodes, say after deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) etc. Tag values and an outline of the format can be found here http://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?revision=49285&view=markup LINKTYPE_ANY_PDU or something like that? Best regards Anders Broman ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Request for new DLT
Hi Michael, 2013/5/18 Michael Richardson > > >>>>> "Pascal" == Pascal Quantin writes: > Pascal> Anders Broman, Wireshark core developer, is currently > designing an export > Pascal> functionality for PDUs and would need a DLT allocated for this > new > Pascal> functionality. > Pascal> You will find below the email he tried to send to this mailing > list a few > Pascal> days ago and that got bounced. I hope mine will go through > Pascal> :) > > sorry. > > Anders> I would need a DLT for a wrapper around higher level PDU's or > per-packet > Anders> DLT:s the format is multipurpose and consists of a number of > TLV:s > Anders> proceeding the actual PDU. > Anders> There are TLV:s which describes which protocol the PDU is and > meta data > Anders> such as IP address and port (if the transport protocol(s) are > striped off). > > Anders> The format can be used by logging functions in various nodes, > say after > Anders> deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) > etc. > Anders> Tag values and an outline of the format can be found here > Anders> > http://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?revision=49285&view=markup > > Looks like a rather sane TLV structure. > Is it intended to be used beyond SS7 stuff? Anders can describe it better than me, but the format intends to be versatile.It allows you to export any higher level PDUs in a pcap file while maintaining some basic information about the lower layers (like the transport one). The current code sample in Wireshark is for SIP protocol, but could be extended to any protocol if there is a need. With a DLT allocated, it would allow the feature to work out of the box without any user configuration required (right now the implementation is mapped on a user DLT, so you must configure Wireshark accordingly). For example I would see a use for it for the logging capabilities of a mobile phone that use higher layer protocols decoded by Wireshark without the traditional network oriented transport layers. Right now I need to play tricks with user DLT and it prevents mixing protocols. Regards, Pascal. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Request for new DLT
Hi Michael, Le 23/05/2013 20:03, Michael Richardson a écrit : >> "Anders" == Anders Broman writes: > Pascal> Anders can describe it better than me, but the format > Pascal> intends to be versatile.It allows you to export any higher > Pascal> level PDUs in a pcap file while maintaining some basic > Pascal> information about the lower layers > > So, how are the higher level PDUs going to be described? > that is, will you have a recursive DLT value, or what exactly? Right now the dissector to be used for each high level PDU is given in the header, using the EXP_PDU_TAG_PROTO_NAME tag (see https://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?view=markup&pathrev=49446). You do have one TLV structure per PDU, giving the protocol name and optionally the context (like port number, IP address,...). > Pascal> (like the transport one). The current code sample in > Pascal> Wireshark is for SIP protocol, but could be extended to any > Pascal> protocol if there is a need. With a DLT allocated, it would > Pascal> allow the feature to work out of > > I'd rather have it be rather specific and well defined, then loose and > nebulous. DLTs already require too much specialized knowledge to > decode as it is. Regarding the definition, the TLV structure seems rather well defined to me and does not intend to be nebulous (sorry if this is the way my sentence sounded). Or maybe I missed what you meant. Best regards, Pascal. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
