tcpdump mailing list archives

Re: DLT_EN10MB and DLT_IEEE802

From: Guy Harris <gharris () sonic net>
Date: Tue, 3 Jun 2003 11:31:54 -0700

On Tue, Jun 03, 2003 at 01:45:04PM -0400, Allison, Jason (JALLISON) wrote:

Continuing on my other emails, after further investigation I am confused
about some things defined in ./net/bpf.h:

#define DLT_EN10MB 1 /* Ethernet (10Mb)
Ethernet frames can have Ethernet or 802.3 encapsulation

#define DLT_IEEE802 6 /* IEEE 802 Networks */
What am I missing?


DLT_ values *really* refer to the precise form of the link-layer header
on packets, and are used to

        1) tell libpcap what sort of code to generate for filter
           expressions;

        2) tell the application what sort of link-layer headers to
           analyze.

The original DLT_ values were the ARP type values for the link-layer
types; for whatever reason, even though the MAC address format for
DEC/Intel/Xerox Ethernet is the same as the 802.* MAC address format,
they were given separate ARP type values, and so there's DLT_EN10MB
(where the "10MB" is to distinguish it from the 3Mb experimental
Ethernet at Xerox, not to distinguish it from *faster* Ethernets, which
have the same link-layer header as D/I/X Ethernet and therefore also use
DLT_EN10MB).

However, ARP type values aren't useful for the purpose for which DLT_
types are used, as there is, for example, no link-layer header type for
"IEEE 802 networks" - they have different link-layer types. 
Furthermore, not all network types supported by libpcap *have* ARP type
values.

So, in practice:

        DLT_EN10MB is used for all flavors of standard Ethernet (10Mb,
        100Mb, 1000Mb, and presumably 10000Mb), and you determine
        whether a DLT_EN10MB packet uses Ethernet or 802.3 encapsulation
        by looking at the type/length field;

        DLT_IEEE802 was used both by some BSD implementations and some
        Linux libpcaps for 802.5 Token Ring, and we've picked that up
        for our libpcap and tcpdump.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

DLT_EN10MB and DLT_IEEE802 Allison, Jason (JALLISON) (Jun 03)
- Re: DLT_EN10MB and DLT_IEEE802 Guy Harris (Jun 03)
  - Firewall using libpcap Biswajit Paul (Jun 03)