Re: UI for packets differing by a checksum on the end

[Jon Smirl <jonsmirl () gmail com>]

On Thu, Jul 29, 2010 at 3:25 PM, Guy Harris <guy () alum mit edu> wrote:
> On Jul 29, 2010, at 7:19 AM, Jon Smirl wrote:
>
> > I'm working on the 802.15.4 packet decoder. 802.15.4 packets have a
> > two byte hardware checksum at the end of them. Some sniffer hardware
> > includes this checksum in the packets returned and some hardware
> > doesn't.
> >
> > We've been switching between them by changing the source code:
> > -        ieee802154_handle   = find_dissector("wpan");
> > +        ieee802154_handle   = find_dissector("wpan_nofcs");
> >
> > How can i fix this so that I can switch using the UI?
>
> Well, the first question you should ask is "can I fix this so that I don't *need* to switch using the UI?"  If the 
> machine doing the capturing knows whether the sniffer hardware includes the FCS or not, users shouldn't *have* to 
> know it and shouldn't *have* to tell Wireshark.

The hardware that is leaving the FCS on encapsulates them as Ethernet
frames with an Ethertype of 0x809a.

In packet-ieee802154.c:

static void
dissect_ieee802154_nofcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    tvbuff_t    *new_tvb;
    /* If there is no FCS present in the reported packet, then the length of
     * the true IEEE 802.15.4 packet is actually 2 bytes longer. Re-create
     * the buffer with an extended reported length so that the packet will
     * be handled as though the FCS were truncated.
     *
     * Note, we can't just call tvb_set_reported_length(), because it includes
     * checks to ensure that the new reported length is not longer than the old
     * reported length (why?), and will throw an exception.
     */
    new_tvb = tvb_new_subset(tvb, 0, -1,
tvb_reported_length(tvb)+IEEE802154_FCS_LEN);
    /* Call the common dissector. */
    dissect_ieee802154_common(new_tvb, pinfo, tree, 0);
} /* dissect_ieee802154_nofcs */

That routine is adding fake fcs bytes to the end of the packet. The
main dissector code assumes the FCS is present.
Adding a check that the packet is not encapsulated in ethertype 0x809a
should do the trick.
How do I check for that?

if (!ethernet encapsulate 0x809a)
    new_tvb = tvb_new_subset(tvb, 0, -1,
tvb_reported_length(tvb)+IEEE802154_FCS_LEN);



> In what file format are the captures for those different pieces of hardware?  If they're in pcap format, you should 
> ask for a new DLT_ value for "802.15.4 without an FCS", use that DLT_ value for the sniffing hardware that doesn't 
> include the checksum, and map that DLT_ value to the new WTAP_ENCAP_IEEE802_15_4_NOFCS value.

Both pieces of hardware are sending the packets into the Linux
networking subsystem. I'm using Wireshark to capture from the network
devices.



> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe



-- 
Jon Smirl
jonsmirl () gmail com
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe