2018-02-05 16:59:45 +00:00
|
|
|
|
// WSDG Chapter Capture
|
2018-02-04 19:39:56 +00:00
|
|
|
|
|
2014-02-02 19:00:30 +00:00
|
|
|
|
[[ChapterCapture]]
|
|
|
|
|
|
|
|
|
|
== Packet capturing
|
|
|
|
|
|
|
|
|
|
****
|
|
|
|
|
This chapter needs to be reviewed and extended.
|
|
|
|
|
****
|
|
|
|
|
|
|
|
|
|
[[ChCaptureAddLibpcap]]
|
|
|
|
|
|
|
|
|
|
=== How to add a new capture type to libpcap
|
|
|
|
|
|
|
|
|
|
The following is an updated excerpt from a developer mailing list mail about
|
|
|
|
|
adding ISO 9141 and 14230 (simple serial line card diagnostics) to Wireshark:
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
For libpcap, the first thing you’d need to do would be to get +{dlt-glob}+ values
|
|
|
|
|
for all the link-layer protocols you’d need. If ISO 9141 and 14230 use the same
|
2018-02-04 19:39:56 +00:00
|
|
|
|
link-layer protocol, they might be able to share a +{dlt-glob}+ value, unless the
|
2014-02-02 19:00:30 +00:00
|
|
|
|
only way to know what protocols are running above the link layer is to know
|
|
|
|
|
which link-layer protocol is being used, in which case you might want separate
|
2018-02-04 19:39:56 +00:00
|
|
|
|
+{dlt-glob}+ values.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
For the rest of the libpcap discussion, I'll assume you're working with libpcap
|
|
|
|
|
1.0 or later and that this is on a UN*X platform. You probably don't want to
|
|
|
|
|
work with a version older than 1.0, even if whatever OS you're using happens to
|
|
|
|
|
include libpcap - older versions are not as friendly towards adding support for
|
|
|
|
|
devices other than standard network interfaces.
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
Then you’d probably add to the `pcap_open_live()` routine, for whatever
|
2014-02-02 19:00:30 +00:00
|
|
|
|
platform or platforms this code should work, something such as a check
|
|
|
|
|
for device names that look like serial port names and, if the check
|
|
|
|
|
succeeds, a call to a routine to open the serial port.
|
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
See, for example, the `#ifdef HAVE_DAG_API` code in _pcap-linux.c_ and
|
|
|
|
|
_pcap-bpf.c_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
The serial port open routine would open the serial port device, set the baud
|
2018-02-04 23:15:02 +00:00
|
|
|
|
rate and do anything else needed to open the device. It’d allocate a `pcap_t`,
|
2018-02-04 19:39:56 +00:00
|
|
|
|
set its `fd` member to the file descriptor for the serial device, set the
|
|
|
|
|
`snapshot` member to the argument passed to the open routine, set the `linktype`
|
|
|
|
|
member to one of the +{dlt-glob}+ values, and set the `selectable_fd` member to
|
|
|
|
|
the same value as the `fd` member. It should also set the `dlt_count` member to
|
|
|
|
|
the number of +{dlt-glob}+ values to support, and allocate an array of
|
|
|
|
|
`dlt_count` `u_int`s, assign it to the `dlt_list` member, and fill in that list
|
|
|
|
|
with all the +{dlt-glob}+ values.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
You’d then set the various `_*_op` fields to routines to handle the operations in
|
|
|
|
|
question. `read_op` is the routine that’d read packets from the device. `inject_op`
|
|
|
|
|
would be for sending packets; if you don't care about that, you’d set it to a
|
2018-02-04 19:39:56 +00:00
|
|
|
|
routine that returns an error indication. `setfilter_op` can probably just be set
|
|
|
|
|
to `install_bpf_program`. `set_datalink` would just set the `linktype` member to the
|
2018-02-04 23:15:02 +00:00
|
|
|
|
specified value if it’s one of the values for OBD, otherwise it should return an
|
2018-02-04 19:39:56 +00:00
|
|
|
|
error. `getnonblock_op` can probably be set to `pcap_getnonblock_fd`. `setnonblock_op`
|
|
|
|
|
can probably be set to `pcap_setnonblock_fd`. `stats_op` would be set to a routine
|
|
|
|
|
that reports statistics. `close_op` can probably be set to `pcap_close_common`.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
If there’s more than one +{dlt-glob}+ value, you definitely want a `set_datalink`
|
2014-02-02 19:00:30 +00:00
|
|
|
|
routine so that the user can select the appropriate link-layer type.
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
For Wireshark, you’d add support for those +{dlt-glob}+ values to
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_wiretap/libpcap.c_, which might mean adding one or more _WTAP_ENCAP_ types to
|
2018-02-04 23:15:02 +00:00
|
|
|
|
_wtap.h_ and to the `encap_table[]` table in _wiretap/wtap.c_. You’d then
|
2014-02-02 19:00:30 +00:00
|
|
|
|
have to write a dissector or dissectors for the link-layer protocols or
|
2018-02-04 19:39:56 +00:00
|
|
|
|
protocols and have them register themselves with the `wtap_encap` dissector
|
|
|
|
|
table, with the appropriate _WTAP_ENCAP_ values by calling
|
|
|
|
|
`dissector_add_uint()`.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2018-02-05 16:59:45 +00:00
|
|
|
|
// End of WSDG Chapter Capture
|