Re: Variable length mac headers and gencode.c (and DLT request)

[Guy Harris <guy () alum mit edu>]

On May 13, 2011, at 12:52 AM, Darren Reed wrote:

> The goal of this is quite specific: to allow packets on a network device
> to have mixed link-layer headers present and be able to use tcpdump and
> friends to push meaningful filters into the kernel. The general thrust
> of that is towards IP, thus weird 802.2/PPP headers aren't really that
> interesting from a problem perspective, however that doesn't mean they
> get ignored.

Are the link-layer headers, or some component of them, of any interest in this particular application?  (Presumably so, 
otherwise you'd just be using LINKTYPE_RAW, with all packets being IPv4 or IPv6 and starting with the IPv{4,6} header, 
with the version field being used to distinguish between them.)

Is the *entire* link-layer header of interest, or only selected fields?  LINKTYPE_LINUX_SLL:

        http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html

will supply a standardized packet type (Ethertype if it has one, 1 if it's the crufty old IPX-directly-over-Ethernet 
stuff, 4 if the payload starts with an 802.2 header, protocols that have no Ethertype nor a DSAP nor an OUI/PID 
combination for SNAP aren't allowed) and the sender's link-layer address, if any, along with the Linux ARPHRD_ type for 
the device (to help you interpret the sender address, presumably.  If that supplies enough information, you could use 
that.

(And, yes, this is usable, and is used, for a similar application - the "any" device on Linux, which uses an unbound 
PF_PACKET/SOCK_DGRAM socket, so that it receives packets from *all* interfaces.)-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.