Re: wiretap - using as a library rather than coupled with Wireshark?

[Richard Kinder <rkinder () quantenna com>]

Hi Tim,

Appreciate you spending the time to reply.

I’ve hacked up a small change to libwiretap to insert a basic radiotap header. It’s unclean right now but does the job.

I can now run a command such as:

editcap -F pcap -T ieee-802-11-radiotap input.pkt output.pcap

and I get something which is pcap + RT. I’m pushing the packet timestamp from the airopeek capture into the tsfts RT 
field, and adding in the flags RT field and filling in the FCS present bit.

Next step would be to figure out how to build the radiotap header properly (abstracted etc.) and as completely as 
possible based on the pseudo 802.11 header. I’m assuming that introducing additional library dependencies is 
undesirable, so it would mean adding in new code into libwiretap or elsewhere in the tree.

Regarding concurrent Wireshark + peek captures – this isn’t possible as I’m post processing sniffer traces. We can’t 
dictate the format or the tool used to gather the traces, but do require radiotap headers for further analysis.

Regards,
Richard


From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Tim Furlong
Sent: Friday, 4 December 2015 2:29 AM
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] wiretap - using as a library rather than coupled with Wireshark?

Hi Richard,

Sorry for the delay in getting back to you - and I wish I had more time to look into it before responding, but the baby 
will be up soon and I wanted to follow up while I had a few minutes.

Also, quick but important caveat: I'm a dev-list lurker, as opposed to a core Wireshark developer, and my opinions are 
entirely my own - I'll happily to defer to them on any of the below.  But, since I opened my big keyboard about editcap 
in the first place, I'll do what I can. :-)

One of the biggest challenges you'll face in this is that the code to parse radiotap is in epan/dissectors and gets 
compiled into libwireshark; you won't want to pull libwireshark in to editcap (it'd kind of defeat the purpose of 
editcap).  Didn't locate the airopeek code, but believe it's in libwiretap, which should be fine.  Also, I don't know 
if there's code to generate radiotap headers, though I'd be inclined to follow through what wireshark does when doing a 
wi-fi capture to try and find it (well, doing the capture first to confirm that it.

Actually, come to think of it, if you can do wi-fi capture with dumpcap, then there is probably code somewhere to write 
radiotap without going to libwireshark, so you might be in luck - though you'd want to confirm with a test capture that 
dumpcap does write radiotap headers before you sink much time into that.  For translating from airopeek, though, as Guy 
indicated, you're likely going to do the heavy lifting on that yourself.  My inclination would be to do concurrent 
Wireshark and Airopeek captures on the same network at the same time, if possible, and then use the two captures to 
figure out your field mappings - or at least, to start doing so.

Sorry I can't be of more help, but hopefully there's something useful in the above. :P

Thanks, and good luck,
-Tim





On Mon, Nov 30, 2015 at 7:27 PM, Richard Kinder <rkinder () quantenna com<mailto:rkinder () quantenna com>> wrote:
Hi Guy, Tim,

Thanks for this input. I think modification of editpcap is the best path forward for this problem.

The files I'm looking at converting are indeed Airopeek, so I'll need to add support for translation of the peek* 
metadata to radiotap. Any pointers as to where to start, architectural overviews of libwiretap or documentation are 
greatly appreciated.

Regards,
Richard

-----Original Message-----
From: Guy Harris [mailto:guy () alum mit edu<mailto:guy () alum mit edu>]
Sent: Saturday, 28 November 2015 4:54 AM
To: Developer support list for Wireshark <wireshark-dev () wireshark org<mailto:wireshark-dev () wireshark org>>
Cc: Richard Kinder <rkinder () quantenna com<mailto:rkinder () quantenna com>>
Subject: Re: [Wireshark-dev] wiretap - using as a library rather than coupled with Wireshark?


On Nov 27, 2015, at 7:09 AM, Tim Furlong <dev.null.2007 () gmail com<mailto:dev.null.2007 () gmail com>> wrote:

> Sorry if I'm just missing something, but would editcap itself do the job?
>
> editcap <in.pkt> <out.pcapng>
>
> should read your Wildpackets file and produce a pcapng file; add a "-F pcap" for pcap format instead.

...as long as it's not an AiroPeek capture or an OmniPeek Wi-Fi capture, as *that* would require translating the radio 
metadata headers from either of the *Peek formats to a format supported in pcap/pcapng files, such as radiotap.  
editcap doesn't look at the packet contents, and can't do that translation.


This email, including its contents and any attachment(s), may contain confidential information of Quantenna 
Communications, Inc. and is solely for the intended recipient(s). If you may have received this in error, please 
contact the sender and permanently delete this email, its contents and any attachment(s).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org<mailto:wireshark-dev () wireshark org>>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org<mailto:wireshark-dev-request () wireshark 
org>?subject=unsubscribe



--
Tim Furlong
tim.furlong () gmail com<mailto:tim.furlong () gmail com>


This email, including its contents and any attachment(s), may contain confidential information of Quantenna 
Communications, Inc. and is solely for the intended recipient(s). If you may have received this in error, please 
contact the sender and permanently delete this email, its contents and any attachment(s).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe