Wireshark mailing list archives
Re: UI for packets differing by a checksum on the end
From: Jon Smirl <jonsmirl () gmail com>
Date: Thu, 29 Jul 2010 16:18:08 -0400
On Thu, Jul 29, 2010 at 3:25 PM, Guy Harris <guy () alum mit edu> wrote:
On Jul 29, 2010, at 7:19 AM, Jon Smirl wrote:I'm working on the 802.15.4 packet decoder. 802.15.4 packets have a two byte hardware checksum at the end of them. Some sniffer hardware includes this checksum in the packets returned and some hardware doesn't. We've been switching between them by changing the source code: - ieee802154_handle = find_dissector("wpan"); + ieee802154_handle = find_dissector("wpan_nofcs"); How can i fix this so that I can switch using the UI?Well, the first question you should ask is "can I fix this so that I don't *need* to switch using the UI?" If the machine doing the capturing knows whether the sniffer hardware includes the FCS or not, users shouldn't *have* to know it and shouldn't *have* to tell Wireshark.
The hardware that is leaving the FCS on encapsulates them as Ethernet frames with an Ethertype of 0x809a. In packet-ieee802154.c: static void dissect_ieee802154_nofcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { tvbuff_t *new_tvb; /* If there is no FCS present in the reported packet, then the length of * the true IEEE 802.15.4 packet is actually 2 bytes longer. Re-create * the buffer with an extended reported length so that the packet will * be handled as though the FCS were truncated. * * Note, we can't just call tvb_set_reported_length(), because it includes * checks to ensure that the new reported length is not longer than the old * reported length (why?), and will throw an exception. */ new_tvb = tvb_new_subset(tvb, 0, -1, tvb_reported_length(tvb)+IEEE802154_FCS_LEN); /* Call the common dissector. */ dissect_ieee802154_common(new_tvb, pinfo, tree, 0); } /* dissect_ieee802154_nofcs */ That routine is adding fake fcs bytes to the end of the packet. The main dissector code assumes the FCS is present. Adding a check that the packet is not encapsulated in ethertype 0x809a should do the trick. How do I check for that? if (!ethernet encapsulate 0x809a) new_tvb = tvb_new_subset(tvb, 0, -1, tvb_reported_length(tvb)+IEEE802154_FCS_LEN);
In what file format are the captures for those different pieces of hardware? If they're in pcap format, you should ask for a new DLT_ value for "802.15.4 without an FCS", use that DLT_ value for the sniffing hardware that doesn't include the checksum, and map that DLT_ value to the new WTAP_ENCAP_IEEE802_15_4_NOFCS value.
Both pieces of hardware are sending the packets into the Linux networking subsystem. I'm using Wireshark to capture from the network devices.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
-- Jon Smirl jonsmirl () gmail com ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- UI for packets differing by a checksum on the end Jon Smirl (Jul 29)
- Re: UI for packets differing by a checksum on the end Guy Harris (Jul 29)
- Re: UI for packets differing by a checksum on the end Jon Smirl (Jul 29)
- Re: UI for packets differing by a checksum on the end Guy Harris (Jul 29)
- Re: UI for packets differing by a checksum on the end Jon Smirl (Jul 29)
- Re: UI for packets differing by a checksum on the end Jon Smirl (Jul 29)
- Re: UI for packets differing by a checksum on the end Guy Harris (Jul 29)