Wireshark mailing list archives
Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark?
From: Richard Sharpe <realrichardsharpe () gmail com>
Date: Thu, 10 May 2012 19:11:43 -0700
On Thu, May 10, 2012 at 7:05 PM, Guy Harris <guy () alum mit edu> wrote:
On May 10, 2012, at 6:49 PM, Richard Sharpe wrote:If I forcibly set the linktype to 1 when reading the first header (the SHB) during pcap_live_open, then things work as I expect.1 is LINKTYPE_ETHERNET. Does it still work if you forcibly set the linktype to 1 and send down the pipe a capture where the first interface *isn't* supplying Ethernet headers?
I would not expect it to. My quick fix was simply to determine if I am getting most things correct.
(And, as per my mail, what happens if you send down the pipe a capture where the first interface supplies 802.11 headers and the second interface supplies USB headers, for example? In that case, there *is* no linktype, there's more than one linktype.)
I would expect massive fail. However, I currently only have a pcapng file with one IDB in it.
Now to figure out the communication between dumpcap and Wireshark et al.The messages from dumpcap to Wireshark on the sync pipe just say things such as "there are N more packets to read from the capture file" or "I've stopped writing to that capture file and am now writing to a capture file with this pathname"; they do not say "this capture has link-layer header type XXX", or even "this capture has a new interface with link-layer header type XXX" (given that "this capture has link-layer type XXX" is insufficient to fully support capturing on multiple interfaces, which 1.7.x supports).
It would seem that we need to say "this packet has link-layer type XXX" and the pcap-opts that is passed some of the way in supports that, it seems. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 12)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)