Re: [SPAM] - Re: important fomrat tcpdump -

[Guy Harris <guy () alum mit edu>]

On Jun 12, 2006, at 7:07 PM, lalani () cs fsu edu wrote:

>  The part I am confused about is where and when does ethernet comes  
> into picture. I got my program to print the header values, but I  
> was looking to know the type and everything I can find about the  
> ethernet frame wrapped in the packet.

Well, the first question is *whether* Ethernet comes into the  
picture.  It doesn't come into the picture if you're capturing on a  
PPP link, for example.

Ethernet (or "pretend Ethernet") comes into the picture if  
pcap_datalink(), when passed the pcap_t you got from pcap_open_offline 
(), returns DLT_EN10MB (the "10MB" is to distinguish it from the old  
3Mb/s Ethernet; all the other Ethernets, all the way up to 10Gb, are  
compatible at this layer with 10Mb/s Ethernet, so you'll get  
DLT_EN10MB for 10Mb/s Ethernet, 100Mb/s Fast Ethernet, Gigabit  
Ethernet, etc.).

You only need call pcap_datalink() after opening the file; you don't  
have to call it for every packet.

If you get DLT_EN10MB from pcap_datalink(), then the first 14 bytes  
of the packet data are an Ethernet header, with a 6-byte destination  
address, a 6-byte source address, and a 2-byte type/length field.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.