wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] Question regarding using Taps

Re: [Wireshark-dev] Question regarding using Taps in Lua

From: Jeff Morriss <jeff.morriss.ws_at_nospam>
Date: Thu Oct 21 2010 - 14:38:53 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

Holger Freyther wrote:
> Hi all,
> I wrote a simple lua script[1] with the intention to split a trace based on
> SCCP connections and then only keep the connections that have shown kind of a
> problem. In general it is working fine but I have one problem. I am missing
> SCCP packets in my trace. I wonder if the following might be an explanation.
> What happens if there are multiple IP packets in one Ethernet frame? Will
> tap:packet be called for each IP packet inside the frame or will I need to
> iterate over the packets from within the tap:packet() call?

Each IP packet is sent to the tap separately, even if there are multiple
IP packets per frame (at least AFAICS).

But, are you dealing with multiple IP packets per frame or multiple SCTP
data chunks (and thus M3UA and SCCP packets) per frame?

If the latter, you might be better off tapping higher--maybe at the M3UA
or SCCP tap.
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev