Re: New APIs to support multiple DLT_'s on an interface

[Andrew Brown <tcpdump-workers () lists graffiti com>]

On Wed, Dec 11, 2002 at 03:03:03PM -0800, Guy Harris wrote:
> On Mon, Nov 11, 2002 at 02:36:04PM -0600, David Young wrote:
> > Just FYI, I have patched NetBSD's tcpdump for multiple tap types.
> > -L lists available DLTs.  -D sets a different DLT than the default.
>
> Unfortunately, "-D" was already claimed by WinDump as an option to print
> out a list of all available interfaces; the current CVS version of
> tcpdump, which has the WinDump code merged in, supports it for that
> purpose:
>
>       % tcpdump -D
>       1.fxp0
>       2.lo0
>       % tcpdump -i 1
>       tcpdump: listening on fxp0

since netbsd's -D and -L seem instrinsically related, yet the official
tcpdump -D doesn't seem that far off, and since the netbsd change is
rather recent, how about merging/switching the two functionalities?
this would mean that -D would give me (for example):

        % tcpdump -D
        1.lo0   NULL
        8.ep0   EN10MB
        9.wi0   EN10MB IEEE802_11
        % 

note that i haven't written any code -- i just made the above up with
my fingers, and i plugged in the wi0 card to see the different dlt
types.  the numbers are the ifindex values.

> where the numbers can be used instead of names as an argument to "-i".

that's a neat concept.

> That might not be too useful on systems that support "ifconfig -a", but
> Windows doesn't *and* doesn't have particularly nice names for
> interfaces, and even some UNIXes, e.g. HP-UX as of 11.00, don't support
> "ifconfig -a".

i usually end up writing a small program to do just that.  i've
encountered enough systems that don't have ifconfig -a to get upset
enough to write such a program.

> The letters available in tcpdump are:
>
>       b g G h H I M o P Q U V W y
>
> Tethereal and Ethereal should probably support the same options, if
> possible; one or both of them already uses
>
>       b h o P Q V
>
> leaving
>
>       g G H I M U W y
>
> which is a pretty poor selection, but such are the consequences of the
> folks at Bell Labs deciding that single-letter options were the way to
> go (perhaps defensible in the days of the PDP-11, but...).  I guess I'd
> vote for I, as the letter "interface", as in "network interface", begins
> with "I".

that's a shame.  especially since i'd like to burn...three of those.
somehow.  here's my "plan".  you tell me if you hate it.

(1) use -W to indicate "open the underlying network tap device in
read/write mode".  jason thorpe has done a bit of this to the netbsd
copy of the libpcap code, but only insofar as the bpf unconditionally
gets opened read/write.  his reasoning:

        Open the BPF file descriptor as read-write.  Some pcap-using
        programs (notably, simulators) expect to be able to send
        packets on the descriptor, as well as receive.

but that sucks for me, since i like to give special purpose accounts
read-only access to the bpf so that they can monitor, but not write to
the network.  being able to tell pcap_open_live() to use read-only or
read/write would be a big win (i get what i want and jason gets what
he wants), and i think i can see how to do it.  pcap_open_live() has a
promisc argument that could be "altered" to be flags.  promisc could
then become 0x01 and read/write could be 0x02.  etc.

(2) use -U to tell tcpdump to write the dump to the output file in an
unbuffered manner.  packets that dribble in take a long time to fill
the stdio buffer and get flushed to the file.  this can be incredibly
annoying, especially if you're impatient.  this one won't be as easy
as the first one, since pcap_dump_open() doesn't have any room for
flags.  hmm...i suppose that since the first argument to
pcap_dump_open() is a pcap_t*, the flags could be hidden in there
somewhere from the call to pcap_open_live().  how bad does that sound?

(3) use another letter (there aren't any really good mnemonics left
off the top of my head, so i'm open to suggestions) to tell tcpdump to
dump the link layer data as well when using -x or -X.  when printing
ip datagrams using -X (or -x), the link layer stuff is skipped.  call
me crazy, but i'd like to be able to see that somewhere.  i initially
used -L for this (to indicate link layer), but that got used by
someone else because i was lazy.  -E was already gone at that point.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
werdna () squooshy com       * "information is power -- share the wealth."

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe