Wireshark mailing list archives
Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark?
From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Thu, 10 May 2012 18:18:51 -0700
On Thu, May 10, 2012 at 4:14 PM, Guy Harris <guy () alum mit edu> wrote:
On May 10, 2012, at 2:06 PM, Jeff Morriss wrote:Richard Sharpe wrote:Hi folks, The problem with my changes to support pcap-ng through pipes seems to be that I am not communicating linktype correctly. What is the secret?IIRC Wireshark gets the linktype of the interfaces BEFORE the capture starts.Actually, *Wireshark* gets the linktype of the interface(s) as it reads the output of dumpcap. The question is where *dumpcap* gets the linktype. From an interface, it gets it from a pcap_datalink() call once the interface is open, but that doesn't work on a pipe. For a pipe, cap_pipe_open_live() reads the pcap file header from the pipe and then uses the link-layer header type from the file header. However, if we're going to support capturing from a pipe to which a pcap-ng-format data stream is being written, there's no longer a linktype - there's a list of one *or more* interfaces, not all of which necessarily have the same link-layer header type. That might mean that dumpcap's capture-pipe-reading architecture would need to change to (fully) support pcap-ng; perhaps that might involve changing the message sequence between dumpcap and {Wire,T}shark so that dumpcap sends messages to its client saying "a new interface has arrived, here's an Interface Description Block for it" (with an IDB being synthesized from the file header if a pcap-format data stream is being read from the pipe).
OK, that give me the hint I was looking for ... -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 12)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)