Wireshark mailing list archives
Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark?
From: Guy Harris <guy () alum mit edu>
Date: Thu, 10 May 2012 19:05:55 -0700
On May 10, 2012, at 6:49 PM, Richard Sharpe wrote:
If I forcibly set the linktype to 1 when reading the first header (the SHB) during pcap_live_open, then things work as I expect.
1 is LINKTYPE_ETHERNET. Does it still work if you forcibly set the linktype to 1 and send down the pipe a capture where the first interface *isn't* supplying Ethernet headers? (And, as per my mail, what happens if you send down the pipe a capture where the first interface supplies 802.11 headers and the second interface supplies USB headers, for example? In that case, there *is* no linktype, there's more than one linktype.)
Now to figure out the communication between dumpcap and Wireshark et al.
Note that, as per my mail, dumpcap communicates the link-layer type in the pcap file header's "linktype" field if it's writing a pcap file and communicates the link-layer types (plural!) in the pcap-ng file's IDBs if it's writing a pcap-ng file; Wireshark just incrementally reads the capture file. The messages from dumpcap to Wireshark on the sync pipe just say things such as "there are N more packets to read from the capture file" or "I've stopped writing to that capture file and am now writing to a capture file with this pathname"; they do not say "this capture has link-layer header type XXX", or even "this capture has a new interface with link-layer header type XXX" (given that "this capture has link-layer type XXX" is insufficient to fully support capturing on multiple interfaces, which 1.7.x supports). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 12)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)