2003-04-02 20:21:45 +00:00
|
|
|
This is a very quick and very dirty guide to adding support for new
|
|
|
|
capture file formats. If you see any errors or have any improvements,
|
|
|
|
submit patches - free software is a community effort....
|
|
|
|
|
|
|
|
To add the ability to read a new capture file format, you have to:
|
|
|
|
|
|
|
|
write an "open" routine that can read the beginning of the
|
|
|
|
capture file and figure out if it's in that format or not,
|
|
|
|
either by looking at a magic number at the beginning or by using
|
|
|
|
some form of heuristic to determine if it's a file of that type
|
|
|
|
(if the file format has a magic number, that's what should be
|
|
|
|
used);
|
|
|
|
|
|
|
|
write a "read" routine that can read a packet from the file and
|
2006-11-07 19:25:32 +00:00
|
|
|
supply the packet length, captured data length, time stamp, and
|
|
|
|
packet pseudo-header (if any) and data, and have the "open"
|
|
|
|
routine set the "subtype_read" member of the "wtap" structure
|
|
|
|
supplied to it to point to that routine;
|
|
|
|
|
|
|
|
write a "seek and read" routine that can seek to a specified
|
|
|
|
location in the file for a packet and supply the packet
|
|
|
|
pseudo-header (if any) and data, and have the "open" routine set
|
|
|
|
the "subtype_seek_read" member of the "wtap" structure to point
|
|
|
|
to that routine;
|
2003-04-02 20:21:45 +00:00
|
|
|
|
|
|
|
write a "close" routine, if necessary (if, for example, the
|
|
|
|
"open" routine allocates any memory), and set the
|
|
|
|
"subtype_close" member of the "wtap" structure to point to it,
|
|
|
|
otherwise leave it set to NULL;
|
|
|
|
|
2023-04-16 04:57:34 +00:00
|
|
|
add an entry for that file type in the "open_info_base[]" table
|
|
|
|
in "wiretap/file_access.c", giving a pointer to the "open" routine,
|
|
|
|
a name to use in file open dialogs, whether the file type uses a
|
|
|
|
magic number or a heuristic, and if it uses a heuristic, file
|
|
|
|
extensions for which the heuristic should be tried first. More
|
|
|
|
discriminating and faster heuristics should be put before less
|
|
|
|
accurate and slower heuristics;
|
|
|
|
|
|
|
|
add a registration routine passing a "file_type_subtype_info" struct
|
|
|
|
to wtap_register_file_type_subtypes(), giving a descriptive name, a
|
|
|
|
short name that's convenient to type on a command line (no blanks or
|
|
|
|
capital letters, please), common file extensions to open and save,
|
|
|
|
any block types supported, and pointers to the "can_write_encap" and
|
|
|
|
"dump_open" routines if writing that file is supported (see below),
|
|
|
|
otherwise just null pointers.
|
2003-04-02 20:21:45 +00:00
|
|
|
|
2003-09-24 23:53:11 +00:00
|
|
|
Wiretap applications typically first perform sequential reads through
|
2018-08-27 15:17:32 +00:00
|
|
|
the capture file and may later do "seek and read" for individual frames.
|
2003-09-24 23:53:11 +00:00
|
|
|
The "read" routine should set the variable data_offset to the byte
|
|
|
|
offset within the capture file from which the "seek and read" routine
|
|
|
|
will read. If the capture records consist of:
|
|
|
|
|
|
|
|
capture record header
|
|
|
|
pseudo-header (e.g., for ATM)
|
|
|
|
frame data
|
|
|
|
|
|
|
|
then data_offset should point to the pseudo-header. The first
|
|
|
|
sequential read pass will process and store the capture record header
|
2018-08-27 15:17:32 +00:00
|
|
|
data, but it will not store the pseudo-header. Note that the
|
2010-10-20 01:15:12 +00:00
|
|
|
seek_and_read routine should work with the "random_fh" file handle
|
2018-08-27 15:17:32 +00:00
|
|
|
of the passed in wtap struct, instead of the "fh" file handle used
|
2010-10-20 01:15:12 +00:00
|
|
|
in the normal read routine.
|
2003-09-24 23:53:11 +00:00
|
|
|
|
2003-04-02 20:21:45 +00:00
|
|
|
To add the ability to write a new capture file format, you have to:
|
|
|
|
|
|
|
|
add a "can_write_encap" routine that returns an indication of
|
|
|
|
whether a given packet encapsulation format is supported by the
|
|
|
|
new capture file format;
|
|
|
|
|
|
|
|
add a "dump_open" routine that starts writing a file (writing
|
|
|
|
headers, allocating data structures, etc.);
|
|
|
|
|
|
|
|
add a "dump" routine to write a packet to a file, and have the
|
|
|
|
"dump_open" routine set the "subtype_write" member of the
|
|
|
|
"wtap_dumper" structure passed to it to point to it;
|
|
|
|
|
2007-10-09 05:37:34 +00:00
|
|
|
add a "dump_close" routine, if necessary (if, for example, the
|
2003-04-02 20:21:45 +00:00
|
|
|
"dump_open" routine allocates any memory, or if some of the file
|
|
|
|
header can be written only after all the packets have been
|
|
|
|
written), and have the "dump_open" routine set the
|
|
|
|
"subtype_close" member of the "wtap_dumper" structure to point
|
|
|
|
to it;
|
|
|
|
|
|
|
|
put pointers to the "can_write_encap" and "dump_open" routines
|
2023-04-16 04:57:34 +00:00
|
|
|
in the "file_type_subtype_info" struct passed to
|
|
|
|
wtap_register_file_type_subtypes().
|
2010-10-20 01:15:12 +00:00
|
|
|
|
2018-04-15 21:40:36 +00:00
|
|
|
In the wiretap directory, add your source file to CMakelists.txt.
|