tcpdump mailing list archives
Re: Problem with generation of Pcap traces for
From: Guy Harris <guy () alum mit edu>
Date: Sat, 16 May 2009 11:57:25 -0700
On May 16, 2009, at 10:32 AM, Johan Mazel wrote:
I suppose that the values for linktype are the ones I'm talking in my firstmail : 01 for Ethernet, 06 for Token Ring, 07 for ARCnet, etc... ???
Libpcap has two sets of link-layer type values - the DLT_ values, which are what are returned by current libpcap APIs, and the LINKTYPE_ values, which are what appear in the header at the beginning of a capture file. The LINKTYPE_ value is a 4-byte value starting at an offset of 20 from the beginning of the file.
Almost all of the values are the same in both sets, but a few are different because a few DLT_ definitions - DLT_RAW is one of them - have different values in different BSDs, so a separate LINKTYPE_ value is used for those, so that, for example, a "raw IP" capture has a LINKTYPE_ value of 101 in the capture file header, no matter what OS the capture was done on, even though on OpenBSD the DLT_ value you'll get from pcap_datalink() will be 14 and on other OSes it'll be 12. DLT_RAW is defined as 14 on OpenBSD and 12 on other OSes, so comparing the return value from pcap_datalink() against DLT_RAW will work on all OSes.
Ethernet is DLT_EN10MB, which happens to have the value 1. Token ring is DLT_IEEE802, which happens to have the value 6; ARCNET, with a BSD- style header, is DLT_ARCNET, which happens to have the value 7, etc.. (There's also DLT_ARCNET_LINUX, which is for ARCNET with a Linux-style header; to quote the comment in bpf.h:
/* * BSD's ARCNET headers have the source host, destination host, * and type at the beginning of the packet; that's what's handed * up to userland via BPF. * * Linux's ARCNET headers, however, have a 2-byte offset field * between the host IDs and the type; that's what's handed up * to userland via PF_PACKET sockets. * * We therefore have to have separate DLT_ values for them. */so DLT_ values and LINKTYPE_ values don't just correspond just to physical (or virtual) network types, they correspond to the format of the link-layer headers - and pseudo-headers, such as the radio information headers for 802.11 - at the beginning of the packet.)
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Problem with generation of Pcap traces for Wireshark through Libpcap Johan Mazel (May 13)
- Re: Problem with generation of Pcap traces for Wireshark through Libpcap Guy Harris (May 13)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 13)
- Re: Problem with generation of Pcap traces for Guy Harris (May 15)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 16)
- Re: Problem with generation of Pcap traces for Guy Harris (May 16)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 16)
- Re: Problem with generation of Pcap traces for Guy Harris (May 16)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 17)
- Re: Problem with generation of Pcap traces for Johan Mazel (May 13)
- Re: Problem with generation of Pcap traces for Aaron Turner (May 16)
- Re: Problem with generation of Pcap traces for Wireshark through Libpcap Guy Harris (May 13)