tcpdump mailing list archives
Re: Ethernet Header length
From: Guy Harris <guy () alum mit edu>
Date: Sat, 24 Dec 2011 00:33:05 -0800
On Dec 23, 2011, at 9:02 PM, rixed () happyleptic org wrote:
The "any" device is not an ethernet device, but a virtual thing that will bring you (at least on Linux) a "Linux Cooked" header instead of an ethernet header.
The "any" device currently only exists on Linux, so there's nothing other than Linux involved in that case.
You should google for "linux cooked header".
Or just look at http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html Whenever a program opens a device to perform a capture, or opens a "savefile" with pcap_open_offline(), one of the first things the program should do is call pcap_datalink() on the pcap_t * it gets back from the open, to find out the type of link-layer headers it will get from the pcap_t. See http://www.tcpdump.org/linktypes.html for a list of the link-layer header types. Each link-layer header type on that page has: a LINKTYPE_ value, which is what appears in the file header of a pcap file and in an Interface Description Block in a pcap-ng file; a DLT_ value, which is what pcap_datalink() returns for capture devices and files with that link-layer header type; a description. The program should have a set of DLT_ values that it can handle, and it should not try to print packets if the DLT_ value isn't one it can handle.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Ethernet Header length MohanR (Dec 23)
- Re: Ethernet Header length rixed (Dec 23)
- Re: Ethernet Header length Guy Harris (Dec 24)
- Re: Ethernet Header length MohanR (Dec 24)
- Re: Ethernet Header length Guy Harris (Dec 24)
- Re: Ethernet Header length rixed (Dec 23)