Re: [PATCH] libpcap: Add datalink-type to match

[Guy Harris <guy () alum mit edu>]

On Apr 15, 2010, at 12:48 PM, Luca Bruno wrote:

> Yes, I'm using this at work and the patch aimed primarily at easing my
> job inspecting (with wireshark) the traffic we're collecting.
> I just stuck an explicit comment to the patch to let anyone aware of it,
> if they need to handle non-standard traffic.
>
> I think we're saying almost the same here, isn't it? Maybe my commit
> message wasn't clear enough...

Or maybe "safe" wasn't the best choice of words - what matters isn't "safety", it's correctness; we don't want 
something that's less likely to be broken, we want something where it works correctly now *and* where any patch that 
modifies the header provided, and thus break programs that read DLT_IEEE802_15_4 captures, will not be accepted into 
the mainstream kernel.  (I really don't want somebody submitting a patch to Wireshark to "fix" the handling of 802.15.4 
packets because the Linux kernel started munging the header and didn't introduce a new ARPHRD_ value.  There isn't yet 
any support in tcpdump for 802.15.4, but, if any is introduced, I don't want it to have to be "fixed", either.)

> From what you said there, it sounds as if Linux doesn't, in this case, engage in the link-layer-header-mangling it all 
> too often does, and just hands a perfectly ordinary 802.15.4 header followed immediately by the payload to the socket, 
> so it sounds as if DLT_IEEE802_15_4 is the right choice.  My concern was that somebody *else* doing 802.15.4 on Linux 
> wanted a different header:

> Date: Sun, 1 Apr 2007 23:10:18 +0200
> From: "Juergen Schimmer" <schimmi2 () googlemail com>
> To: tcpdump-workers () lists tcpdump org
> Subject: [tcpdump-workers] DLT-Value request for IEEE 802.15.4 lrwpan
>
> Hello
>
> I would like to request a new DLT value for 802.15.4 Low rate wireless
> personal area networks.
> I am currently working on an project using 802.15.4 and would like to
> use libpcap.
>
> Thank you in advance
> Juergen G. Schimmer
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
> Date: Sun, 01 Apr 2007 14:32:15 -0700
> From: Guy Harris <guy () alum mit edu>
> To: tcpdump-workers () lists tcpdump org
> Subject: Re: [tcpdump-workers] DLT-Value request for IEEE 802.15.4 lrwpan
>
> Juergen Schimmer wrote:
>
> > I would like to request a new DLT value for 802.15.4 Low rate wireless
> > personal area networks.
> > I am currently working on an project using 802.15.4 and would like to
> > use libpcap.
>
> So a packet in a capture file would begin with the 2-octet Frame Control 
> field, as per Figure 41 and section 7.2.1 in the 802.15.4-2006 spec? 
> (I.e., there wouldn't be anything before that field?)
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
> Date: Mon, 2 Apr 2007 00:00:21 +0200
> From: "Juergen Schimmer" <schimmi2 () googlemail com>
> To: tcpdump-workers () lists tcpdump org
> Subject: Re: [tcpdump-workers] DLT-Value request for IEEE 802.15.4 lrwpan
>
> 2007/4/1, Guy Harris <guy () alum mit edu>:
> > Juergen Schimmer wrote:
> >
> > > I would like to request a new DLT value for 802.15.4 Low rate wireless
> > > personal area networks.
> > > I am currently working on an project using 802.15.4 and would like to
> > > use libpcap.
> >
> > So a packet in a capture file would begin with the 2-octet Frame Control
> > field, as per Figure 41 and section 7.2.1 in the 802.15.4-2006 spec?
> > (I.e., there wouldn't be anything before that field?)
>
> Yes. In difference t the 802.15.4-2006 spec all Address fields are at
> the maximum
> size ( This is done in the device driver for better handling in the
> upper layers )
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
> Date: Sun, 01 Apr 2007 19:05:43 -0700
> From: Guy Harris <guy () alum mit edu>
> To: tcpdump-workers () lists tcpdump org
> Subject: Re: [tcpdump-workers] DLT-Value request for IEEE 802.15.4 lrwpan
>
> Juergen Schimmer wrote:
>
> > Yes. In difference t the 802.15.4-2006 spec all Address fields are at
> > the maximum
> > size ( This is done in the device driver for better handling in the
> > upper layers )
>
> In other words, the packets are *NOT* 802.15.4-2006 packets as they 
> appear on the air, but have had the address fields padded?
>
> Is this on Linux?
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>
> Date: Mon, 2 Apr 2007 11:48:07 +0200
> From: "Juergen Schimmer" <schimmi2 () googlemail com>
> To: tcpdump-workers () lists tcpdump org
> Subject: Re: [tcpdump-workers] DLT-Value request for IEEE 802.15.4 lrwpan
>
> 2007/4/2, Guy Harris <guy () alum mit edu>:
>
> > In other words, the packets are *NOT* 802.15.4-2006 packets as they
> > appear on the air, but have had the address fields padded?
>
> Yes
> > Is this on Linux?
>
> Yes it is on Linux. ( X86 and uClinunx ARM ). At the Moment i try to get the
> device driver (cc2420 at the Parallel Port on PC, SPI on ARM ) reliable.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.

although it sounds as if his 802.15.4 implementation might be different from the one in the mainstream kernel, and the 
latter might not pad the address fields.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.