gmane.network.tcpdump.devel

Re: Request for new DLT

Anders Broman — 2013-05-24T08:59:03


-----Original Message-----
From: mcr< at >sandelman.ca [mailto:mcr< at >sandelman.ca] 
Sent: den 23 maj 2013 20:03
To: Anders Broman
Cc: tcpdump-workers< at >lists.tcpdump.org
Subject: Re: [tcpdump-workers] Request for new DLT


    Pascal> Anders can describe it better than me, but the format
    Pascal> intends to be versatile.It allows you to export any higher
    Pascal> level PDUs in a pcap file while maintaining some basic
    Pascal> information about the lower layers 


    Pascal> (like the transport one). The current code sample in
    Pascal> Wireshark is for SIP protocol, but could be extended to any
    Pascal> protocol if there is a need. With a DLT allocated, it would
    Pascal> allow the feature to work out of  


I'm not sure I get the objection, do you feel that these protocol type tag isn't clear enough?
#define EXP_PDU_TAG_LINKTYPE          11 /**< The value part is the linktype value defined by tcpdump 
                                          * http://www.tcpdump.org/linktypes.html

Re: Request for new DLT

Pascal Quantin — 2013-05-23T18:23:34

Hi Michael,

Le 23/05/2013 20:03, Michael Richardson a écrit :
Right now the dissector to be used for each high level PDU is given in
the header, using the EXP_PDU_TAG_PROTO_NAME tag (see
https://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?view=markup&pathrev=49446).
You do have one TLV structure per PDU, giving the protocol name and
optionally the context (like port number, IP address,...).
Regarding the definition, the TLV structure seems rather well defined to
me and does not intend to be nebulous (sorry if this is the way my
sentence sounded). Or maybe I missed what you meant.

Best regards,
Pascal.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new DLT

Michael Richardson — 2013-05-23T18:03:10

    Pascal> Anders can describe it better than me, but the format
    Pascal> intends to be versatile.It allows you to export any higher
    Pascal> level PDUs in a pcap file while maintaining some basic
    Pascal> information about the lower layers 

So, how are the higher level PDUs going to be described?
that is, will you have a recursive DLT value, or what exactly?

    Pascal> (like the transport one). The current code sample in
    Pascal> Wireshark is for SIP protocol, but could be extended to any
    Pascal> protocol if there is a need. With a DLT allocated, it would
    Pascal> allow the feature to work out of  

I'd rather have it be rather specific and well defined, then loose and
nebulous.  DLTs already require too much specialized knowledge to
decode as it is.

review request: Babel and OpenFlow

Denis Ovsienko — 2013-05-22T14:25:51

List,

I am looking for someone to review the commits in pull request #312, which I have opened. It contains a few improvements to existing Babel decoder and a new OpenFlow 1.0 decoder. Both pieces work fine for me, but if you see anything that should be fixed please let me know.

Re: pcap FCS length and LT_FCS_DATALINK_EXT()

Guy Harris — 2013-05-21T18:57:22

On May 5, 2013, at 3:49 PM, Stephen Donnelly <Stephen.Donnelly< at >emulex.com> wrote:


Yes, that was from a thread with the subject "Request for a new DLT for MTP2 with FCS" from 2007, in which Florent, you, and I were the participants.


Units of bits won't work, as the field is only 4 bits long, so it can't even handle 16 bits.  As units of 16 bits is already being used, we might as well go with it.


Yes, it does.  If you have libpcap 1.0 or later, you have pcap_datalink_ext(), so tcpdump could use it as well.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new pcap/pcapng DLT Format

Guy Harris — 2013-05-21T18:36:20

On May 20, 2013, at 7:19 PM, chris_bontje< at >selinc.com wrote:


Just out of curiosity, does that screen shot show a capture made in late November, 2011?

If so, was it done in your local area (which appears, from the area code, to be in eastern Washington state)?

If so, was it done at about 1:36 in the morning of November 23, 2011?

If so, those "seconds" fields look rather suspiciously like UN*X "seconds since the epoch" values, i.e. *absolute* time stamps, not *relative* time stamps.

(If they were captured somewhere else, apply the appropriate time zone delta from the Pacific time zone to "1:36 in the morning".)


By that do you mean "the "sub-seconds" 32-bit field is a count of microseconds since the second specified in the "seconds" field"?

If so, and if the "seconds" field is a UN*X "seconds since the Epoch" value, the time stamp sounds *VERY* suspiciously like a "struct timeval"...

...which, given that, as you said, "the RTAC platform is Linux-based", i.e. it's running on a UN*X, would not be very s

Re: Request for new DLT

Anders Broman — 2013-05-21T14:15:53

From: Pascal Quantin [mailto:pascal.quantin< at >gmail.com] 
Sent: den 19 maj 2013 10:25
To: Michael Richardson
Cc: Anders Broman; tcpdump-workers< at >lists.tcpdump.org
Subject: Re: [tcpdump-workers] Request for new DLT

Hi Michael,

2013/5/18 Michael Richardson <mcr< at >sandelman.ca>

    Pascal> Anders Broman, Wireshark core developer, is currently designing an export
    Pascal> functionality for PDUs and would need a DLT allocated for this new
    Pascal> functionality.
    Pascal> You will find below the email he tried to send to this mailing list a few
    Pascal> days ago and that got bounced. I hope mine will go through
    Pascal> :)

sorry.

    Anders>  I would need a DLT for a wrapper around higher level PDU's or per-packet
    Anders> DLT:s the format is multipurpose and consists of a number of TLV:s
    Anders> proceeding the actual PDU.
    Anders> There are TLV:s which describes which protocol the PDU is and meta data
    Anders> such as IP address and port (if the transport proto

Re: Request for new pcap/pcapng DLT Format

Guy Harris — 2013-05-21T02:13:08

On May 13, 2013, at 1:04 PM, chris_bontje< at >selinc.com wrote:


Seconds and 1/2^32ths of a second?

Speaking of timestamps, what goes into the pcap or pcap-ng time stamp field (those are absolute timestamps)?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new pcap/pcapng DLT Format

Guy Harris — 2013-05-21T02:07:06

On May 20, 2013, at 6:54 PM, chris_bontje< at >selinc.com wrote:


OK, I've assigned 250 for LINKTYPE_RTAC_SERIAL and DLT_RTAC_SERIAL.


I assume it's capturing on the "any" interface.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new pcap/pcapng DLT Format

2013-05-21T01:54:00

Hi Guy,

Those names sound good to me for the RTAC serial captures.

After looking a little closer, I suspect that since the RTAC platform is 
Linux-based, the programmers used the libpcap library to perform captures 
and that library is responsible for the output of the SLL format.  I'll 
revise the comments section in the code header to clarify a little bit 
more on that point.

Regards,

Chris Bontje
Schweitzer Engineering Labs
Automation Application Specialist, SW Region
(509)334-5664
chris_bontje< at >selinc.com




From:   Guy Harris <guy< at >alum.mit.edu>
To:     chris_bontje< at >selinc.com
Cc:     tcpdump-workers< at >lists.tcpdump.org
Date:   05/20/2013 12:33 PM
Subject:        Re: [tcpdump-workers] Request for new pcap/pcapng DLT 
Format




On May 13, 2013, at 1:04 PM, chris_bontje< at >selinc.com wrote:


Do LINKTYPE_RTAC_SERIAL/DLT_RTAC_SERIAL sound like good names?

Cooked 

That's not an Ethernet header:

                 http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html

Any particular reason not to use LINK

Re: Request for new pcap/pcapng DLT Format

Guy Harris — 2013-05-20T18:33:38

On May 13, 2013, at 1:04 PM, chris_bontje< at >selinc.com wrote:


Do LINKTYPE_RTAC_SERIAL/DLT_RTAC_SERIAL sound like good names?


That's not an Ethernet header:

http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html

Any particular reason not to use LINKTYPE_ETHERNET/DLT_EN10MB, rather than LINKTYPE_LINUX_SLL/DLT_LINUX_SLL, for Ethernet captures?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new DLT

Pascal Quantin — 2013-05-19T08:25:27

Hi Michael,

2013/5/18 Michael Richardson <mcr< at >sandelman.ca>



Anders can describe it better than me, but the format intends to be
versatile.It allows you to export any higher level PDUs in a pcap file
while maintaining some basic information about the lower layers (like the
transport one). The current code sample in Wireshark is for SIP protocol,
but could be extended to any protocol if there is a need. With a DLT
allocated, it would allow the feature to work out of the box without any
user configuration required (right now the implementation is mapped on a
user DLT, so you must configure Wireshark accordingly).
For example I would see a use for it for the logging capabilities of a
mobile phone that use higher layer protocols decoded by Wireshark without
the traditional network oriented transport layers. Right now I need to play
tricks with user DLT and it prevents mixing protocols.

Regards,
Pascal.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.

Re: using tcpdump

Mahmood Naderan — 2013-05-19T05:25:05

Problem is, syslog (and kernel in general) doesn't record such things *at all*

 
Regards,
Mahmood



________________________________
 From: Mark W. Jeanmougin <markjx< at >gmail.com>
To: Mahmood Naderan <nt_mahmood< at >yahoo.com> 
Cc: "tcpdump-workers< at >lists.tcpdump.org" <tcpdump-workers< at >lists.tcpdump.org> 
Sent: Sunday, May 19, 2013 1:09 AM
Subject: Re: [tcpdump-workers] using tcpdump
 


For an issue like this, I would look at syslog before I'd check tcpdump. Is anything there when the box looses the network connection?
MJ
On May 16, 2013 9:16 AM, "Mahmood Naderan" <nt_mahmood< at >yahoo.com> wrote:

Hello all users
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: capturing only timestamp excluding otherinformation

Guy Harris — 2013-05-18T21:09:33

On May 8, 2013, at 10:51 PM, achyut baruah <achyutbaruah.mail< at >gmail.com> wrote:


No, there isn't.

However, if you capture with as low a snapshot length as possible (try 1 as a value; the OS or libpcap might raise it to a larger minimum value), that will minimize the amount of extra data you're capturing.  If you only want the timestamp from the pcap file, you can just extract that and ignore the packet data.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new DLT

Michael Richardson — 2013-05-18T19:54:38

    Pascal> Anders Broman, Wireshark core developer, is currently designing an export
    Pascal> functionality for PDUs and would need a DLT allocated for this new
    Pascal> functionality.
    Pascal> You will find below the email he tried to send to this mailing list a few
    Pascal> days ago and that got bounced. I hope mine will go through
    Pascal> :)

sorry.

    Anders>  I would need a DLT for a wrapper around higher level PDU's or per-packet
    Anders> DLT:s the format is multipurpose and consists of a number of TLV:s
    Anders> proceeding the actual PDU.
    Anders> There are TLV:s which describes which protocol the PDU is and meta data
    Anders> such as IP address and port (if the transport protocol(s) are striped off).

    Anders> The format can be used by logging functions in various nodes, say after
    Anders> deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) etc.
    Anders> Tag values and an outline of the format can be found here
    Anders> http://anonsvn.wireshark.or

Request for DLT

Anders Broman — 2013-05-14T07:56:42

Hi,
I would need a DLT for a wrapper around higher level PDU's or per-packet DLT:s the format is multipurpose and consists of a number of TLV:s proceeding the actual PDU.
There are TLV:s which describes which protocol the PDU is and meta data such as IP address and port (if the transport protocol(s) are striped off).

The format can be used by logging functions in various nodes, say after deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) etc.
Tag values and an outline of the format can be found here http://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?revision=49285&view=markup

Best regards
Anders Broman
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: Request for new DLT

Anders Broman — 2013-05-16T14:03:37

Hi,
I would need a DLT for a wrapper around higher level PDU's or per-packet DLT:s the format is multipurpose and consists of a number of TLV:s proceeding the actual PDU.
There are TLV:s which describes which protocol the PDU is and meta data such as IP address and port (if the transport protocol(s) are striped off).

The format can be used by logging functions in various nodes, say after deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) etc.
Tag values and an outline of the format can be found here http://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?revision=49285&view=markup 

LINKTYPE_ANY_PDU or something like that?

Best regards
Anders Broman
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Request for new DLT

Anders Broman — 2013-05-16T14:02:02

Hi,
I would need a DLT for a wrapper around higher level PDU's or per-packet DLT:s the format is multipurpose and consists of a number of TLV:s proceeding the actual PDU.
There are TLV:s which describes which protocol the PDU is and meta data such as IP address and port (if the transport protocol(s) are striped off).

The format can be used by logging functions in various nodes, say after deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) etc.
Tag values and an outline of the format can be found here http://anonsvn.wireshark.org/viewvc/trunk/epan/exported_pdu.h?revision=49285&view=markup

LINKTYPE_ANY_PDU or something like that?

Best regards
Anders Broman
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers< at >lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Request for new pcap/pcapng DLT Format

2013-05-13T20:04:37

Hi, I would like to request a custom DLT type for the Schweitzer 
Engineering Laboratories "RTAC" product.  Information on the 
product/purpose of the DLT is included below:

The RTAC product family (SEL-3530, SEL-2241, SEL-3505) is a Linux-based 
Automation Controller product that is capable of interfacing with SEL and 
3rd-party equipment using a variety of standard industrial protocols such 
as SEL FM, DNP3, Modbus, C37.118, Telegyr 8979 and others. Each protocol 
instance (master/client or slave/server) is configured to utilize either 
Ethernet or EIA-232/485 serial connectivity with protocol variations for 
each medium taken into account.  More information is available at 
www.selinc.com/sel-3530

The configuration software for the RTAC platform is named AcSELerator RTAC 
(SEL-5033) and is used to set up all communications and user logic for the 
controller as well as provide downloading and online debugging facilities. 
 One particularly useful aspect of the online debugging capabilities is a 
robust C

capturing only timestamp excluding otherinformation

achyut baruah — 2013-05-09T05:51:21

Sir, I have been using Tcpdump. Extracting timestamp from a pcap file is
quite easy. Is there any way to capture only the timestamp excluding other
info using Tcpdump while capturing packet.

Request for new DLT

Pascal Quantin — 2013-05-18T18:45:19

Hi all,

Anders Broman, Wireshark core developer, is currently designing an export
functionality for PDUs and would need a DLT allocated for this new
functionality.
You will find below the email he tried to send to this mailing list a few
days ago and that got bounced. I hope mine will go through :)

Best regards,
Pascal.

-----Original Message-----
From: Anders Broman
Sent: den 16 maj 2013 16:04
To: 'tcpdump-workers< at >lists.tcpdump.org'
Subject: RE: Request for new DLT


Hi,
I would need a DLT for a wrapper around higher level PDU's or per-packet
DLT:s the format is multipurpose and consists of a number of TLV:s
proceeding the actual PDU.
There are TLV:s which describes which protocol the PDU is and meta data
such as IP address and port (if the transport protocol(s) are striped off).

The format can be used by logging functions in various nodes, say after
deserialization(SS7 over TDM) decryption(GSM/UMTS/LTE Nodes?) etc.
Tag values and an outline of the format can be found here
http://anonsvn.wireshark.org/vi