Re: Ethernet Header length

[Guy Harris <guy () alum mit edu>]

On Dec 23, 2011, at 9:02 PM, rixed () happyleptic org wrote:

> The "any" device is not an ethernet device, but a virtual thing
> that will bring you (at least on Linux) a "Linux Cooked" header
> instead of an ethernet header.

The "any" device currently only exists on Linux, so there's nothing other than Linux involved in that case.

> You should google for "linux cooked header".

Or just look at

        http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html

Whenever a program opens a device to perform a capture, or opens a "savefile" with pcap_open_offline(), one of the 
first things the program should do is call pcap_datalink() on the pcap_t * it gets back from the open, to find out the 
type of link-layer headers it will get from the pcap_t.  See

        http://www.tcpdump.org/linktypes.html

for a list of the link-layer header types.  Each link-layer header type on that page has:

        a LINKTYPE_ value, which is what appears in the file header of a pcap file and in an Interface Description 
Block in a pcap-ng file;

        a DLT_ value, which is what pcap_datalink() returns for capture devices and files with that link-layer header 
type;

        a description.

The program should have a set of DLT_ values that it can handle, and it should not try to print packets if the DLT_ 
value isn't one it can handle.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.