tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Link Layer Type Request NETANALYZER_NG

From: Jan Adam via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Wed, 24 Mar 2021 07:32:50 +0000
--- Begin Message --- From: Jan Adam <JAdam () hilscher com>
Date: Wed, 24 Mar 2021 07:32:50 +0000
That should also be noted in the specification.


I updated the specification with information about alignment, SrcID, and PayloadType.


Slicing a captured packet is not supported by our capturing device.


But some software can slice packets afterwards.  Either that would have to be forbidden (meaning editcap and, I 
think, tcpdump
would have to check for LINKTYPE_NETANALYZER_NG/DLT_NETANALYZR_NG and refuse to do slicing),
or they would have to 1) ensure that the slice size is >= the footer size and 2) do the slicing specially, removing 
bytes *before* the
 footer, so that if incl_len < VarSize + footer_size, (VarSize + footer_size) - incl_len bytes have been sliced off.


Both might be possible path to take for slicing. In any case the PayloadSize should also be adjusted when the 
payload length is changed in my opinion. Is this a Problem?


So, with incl_len equal to {PayloadSize,VarSize} + 54, orig_len would be equal to {original PayloadSize} + 54, so the 
original payload size would be orig_len - 54.

That would allow the original size and the sliced size of the payload to be calculated, so that should work.


Yes it should work.

I have the feeling this is more about the design then the implementation.
I will try to explain our design decision of the footer. We have observed that customers using Wireshark don't think 
about the header when counting the bytes in the hex dump and expect the frame to start at the first byte and as a 
result read out wrong values. Therefore our idea was to put the additional info at the end in form of a footer.

Maybe you can help me understand more of the general concept, how is this slicing handled for a DLT with a header or 
footer in general?
If you take for example another DLT: https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html it has 16 byte header 
size, how does editcap or tcpdump take that into account? Is it possible to slice without taking the header size into 
account?







Hilscher Gesellschaft für Systemautomation mbH   |  Rheinstrasse 15  |  65795 Hattersheim  |  Germany  |  
www.hilscher.com<http://www.hilscher.com>
Sitz der Gesellschaft / place of business: Hattersheim  |  Geschäftsführer / managing director: Sebastian Hilscher, 
Hans-Jürgen Hilscher
Handelsregister / commercial register: Frankfurt B 26873  |  Ust. Idnr. / VAT No.: DE113852715
Registergericht / register court: Amtsgericht Frankfurt/Main

Important Information:
This e-mail message including its attachments contains confidential and legally protected information solely intended 
for the addressee. If you are not the intended addressee of this message, please contact the addresser immediately and 
delete this message including its attachments. The unauthorized dissemination, copying and change of this e-mail are 
strictly forbidden. The addresser shall not be liable for the content of such changed e-mails.

Wichtiger Hinweis:
Diese E-Mail einschließlich ihrer Anhänge enthält vertrauliche und rechtlich geschützte Informationen, die nur für den 
Adressaten bestimmt sind. Sollten Sie nicht der bezeichnete Adressat sein, so teilen Sie dies bitte dem Absender 
umgehend mit und löschen Sie diese Nachricht und ihre Anhänge. Die unbefugte Weitergabe, das Anfertigen von Kopien und 
jede Veränderung der E-Mail ist untersagt. Der Absender haftet nicht für Inhalte von veränderten E-Mails.

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: