Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark?

[Guy Harris <guy () alum mit edu>]

On May 10, 2012, at 2:06 PM, Jeff Morriss wrote:

> Richard Sharpe wrote:
> > Hi folks,
> >
> > The problem with my changes to support pcap-ng through pipes seems to
> > be that I am not communicating linktype correctly.
> >
> > What is the secret?
>
> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture
> starts.

Actually, *Wireshark* gets the linktype of the interface(s) as it reads the output of dumpcap.

The question is where *dumpcap* gets the linktype.  From an interface, it gets it from a pcap_datalink() call once the 
interface is open, but that doesn't work on a pipe.  For a pipe, cap_pipe_open_live() reads the pcap file header from 
the pipe and then uses the link-layer header type from the file header.

However, if we're going to support capturing from a pipe to which a pcap-ng-format data stream is being written, 
there's no longer a linktype - there's a list of one *or more* interfaces, not all of which necessarily have the same 
link-layer header type.

That might mean that dumpcap's capture-pipe-reading architecture would need to change to (fully) support pcap-ng; 
perhaps that might involve changing the message sequence between dumpcap and {Wire,T}shark so that dumpcap sends 
messages to its client saying "a new interface has arrived, here's an Interface Description Block for it" (with an IDB 
being synthesized from the file header if a pcap-format data stream is being read from the pipe).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe