tcpdump mailing list archives
Re: DLT_EN10MB and DLT_IEEE802
From: Guy Harris <gharris () sonic net>
Date: Tue, 3 Jun 2003 11:31:54 -0700
On Tue, Jun 03, 2003 at 01:45:04PM -0400, Allison, Jason (JALLISON) wrote:
Continuing on my other emails, after further investigation I am confused about some things defined in ./net/bpf.h: #define DLT_EN10MB 1 /* Ethernet (10Mb) Ethernet frames can have Ethernet or 802.3 encapsulation #define DLT_IEEE802 6 /* IEEE 802 Networks */ What am I missing?
DLT_ values *really* refer to the precise form of the link-layer header on packets, and are used to 1) tell libpcap what sort of code to generate for filter expressions; 2) tell the application what sort of link-layer headers to analyze. The original DLT_ values were the ARP type values for the link-layer types; for whatever reason, even though the MAC address format for DEC/Intel/Xerox Ethernet is the same as the 802.* MAC address format, they were given separate ARP type values, and so there's DLT_EN10MB (where the "10MB" is to distinguish it from the 3Mb experimental Ethernet at Xerox, not to distinguish it from *faster* Ethernets, which have the same link-layer header as D/I/X Ethernet and therefore also use DLT_EN10MB). However, ARP type values aren't useful for the purpose for which DLT_ types are used, as there is, for example, no link-layer header type for "IEEE 802 networks" - they have different link-layer types. Furthermore, not all network types supported by libpcap *have* ARP type values. So, in practice: DLT_EN10MB is used for all flavors of standard Ethernet (10Mb, 100Mb, 1000Mb, and presumably 10000Mb), and you determine whether a DLT_EN10MB packet uses Ethernet or 802.3 encapsulation by looking at the type/length field; DLT_IEEE802 was used both by some BSD implementations and some Linux libpcaps for 802.5 Token Ring, and we've picked that up for our libpcap and tcpdump. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- DLT_EN10MB and DLT_IEEE802 Allison, Jason (JALLISON) (Jun 03)
- Re: DLT_EN10MB and DLT_IEEE802 Guy Harris (Jun 03)
- Firewall using libpcap Biswajit Paul (Jun 03)
- Re: DLT_EN10MB and DLT_IEEE802 Guy Harris (Jun 03)