tcpdump mailing list archives

Re: New page, giving link-layer header type values

From: Sam Roberts <vieuxtech () gmail com>
Date: Tue, 15 Mar 2011 17:58:27 -0700

On Tue, Mar 15, 2011 at 5:11 PM, Guy Harris <guy () alum mit edu> wrote:

On Mar 15, 2011, at 4:51 PM, Sam Roberts wrote:

On Sun, Mar 13, 2011 at 2:41 PM, Guy Harris <guy () alum mit edu> wrote:

       http://www.tcpdump.org/linktypes.html

contains a description of all the existing link-layer header types for which there is either


Not sure why there is two link types for IEEE 802.15.4.


Because this has to work with pcap as well as with pcap-ng, and pcap, unlike pcap-ng, has no way to indicate whether 
a packet has an FCS.


Sorry, I've never used pcap-ng, so my comments apply solely to pcap.

The "no FCS at the end" case doesn't need a link type, if the snaplen
is 2 bytes shorter than the packet should be, then there is no FCS at
the end.


That's a heuristic; heuristics are what you use when you have to work around the lack of information.  That 
particular heuristic assumes that packets are as big as they "should be", which isn't necessarily guaranteed.


I don't understand your explanation.

It sounds like you think there are two variants of 802.15.4, one with
an FCS, and one without. As far as I know, thats not the case (but I
don't pretend to have memorized the whole spec, I just implemented
enough to get zbee traffic across it).

Whether or not the radio chips give the FCS to you when you run them
in sniffer mode depends on the chip. Many just validate the FCS, strip
it, and pass you the packet minus the FCS, but some give you the whole
packet, including the FCS. And some don't give you the FCS, they
replace it with a 2 byte indication of signal strength and quality,
which is useful,but unfortunately including that in the pcap would
require a different DLT_ type, because it is no longer a standard
physical layer frame.

Either way, the FCS was there on the data link, we just don't have it.
Since we only got ("snapped") the packet up to the FCS, we write what
we got and set the snaplen.

How is it a heuristic to notice that the entire packet is not present
in the pcap? If you only write 1 byte, is it a "heuristic" to notice
that the complete 15.4 link layer header isn't there, much less the
payload or the FCS?

Cheers,
Sam
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

New page, giving link-layer header type values and descriptions, added to www.tcpdump.org Guy Harris (Mar 13)
- Re: New page, giving link-layer header type values Sam Roberts (Mar 15)
  - Re: New page, giving link-layer header type values Guy Harris (Mar 15)
    - Re: New page, giving link-layer header type values Sam Roberts (Mar 15)
    - Re: New page, giving link-layer header type values Guy Harris (Mar 15)
    - Re: New page, giving link-layer header type values Sam Roberts (Mar 15)
    - Re: New page, giving link-layer header type values Guy Harris (Mar 15)
    - Re: New page, giving link-layer header type values Sam Roberts (Mar 15)
    - Re: New page, giving link-layer header type values Guy Harris (Mar 16)