Re: DLT type for Libpcap Library

[Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Guy Harris <gharris () sonic net>
>
> Date: Sun, 28 Aug 2022 13:24:40 -0700
>
> On Aug 24, 2022, at 11:31 AM, Christian via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:
>
> > Hello everyone, another question that I have is which DLT-type I should use for my libpcap-module. Since Im writing a 
> > module which acquires data from a kernel module, which in turn has no IP-based packages at all. I have to define my 
> > very own data-type from the base onwards. But because this is nothing worth to release (maybe only for documentation 
> > of an example) I would rather use a DLT_USERn linktype. But this is only defined on applications which use pcap lib, 
> > not libpcap itself?
>
> "Defined" in what sense?
>
> The only ways in which the code in the libpcap library "defines" a LINKTYPE_/DLT_ value's format are
>
>         1) the code that compiles filter expressions needs to know the format of the data in a packet of a given 
> link-layer type;
>
>         2) in order to deal with some link-layer header types where data is in the byte order of the host that wrote 
> the file, libpcap, when reading a file, may have to byte-swap host-byte-order fields from the byte order of the host 
> that wrote the file into the byte order of the host that's reading the file if the two are different, and the 
> remote-pcap protocol code must do so with packet data from a remote server if the byte orders of the two hosts are 
> different.
>
> Code that reads pcap and pcapng files, whether with libpcap or independent code for reading pcap and pcapng files, has 
> to provide its *own* code to interpret the packets; if a new LINKTYPE_/DLT_ value is added, neither tcpdump nor 
> Wireshark nor any other program will acquire the ability to handle that file format as a result of any changes to 
> libpcap for that format - new code will have to be written for those programs.
>
> I.e., making tcpdump or Wireshark or... handle your data-link type is up to you.  You'l have to modify tcpdump or 
> Wireshark, or add a plugin for Wireshark.
>
> (And note that code that processes those files doesn't define the formats; they follow the definitions of the formats.  
> The *definitions* of the formats are currently at
>
>         https://www.tcpdump.org/linktypes.html
>
> However, those definitions themselves may refer to other specifications.  For example, the format of 
> LINKTYPE_ETHERNET/DLT_EN10MB packet data is really defined by the LAN/MAN Standards Committee of the IEEE Computer 
> Society, not by The Tcpdump Group or the libpcap code.)
>
> > Another question is: how to map the structure(s) in which I define my data types with the symbol in dlt.h?
>
> "Map" in what sense?
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers