tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: unreadable(?) capture file

From: Hannes Gredler <hannes () juniper net>
Date: Mon, 15 Sep 2003 04:52:46 +0200
On Sun, Sep 14, 2003 at 06:16:30PM -0700, Guy Harris wrote:

| Ethereal uses a sneaky trick to try to discover them; to quote a comment
| in its code for reading libpcap capture files:
| 
|       /*
|        * AIX's non-standard tcpdump uses a minor version number of 2.
|        * Unfortunately, older versions of libpcap might have used
|        * that as well.
|        *
|        * The AIX libpcap uses RFC 1573 ifType values rather than
|        * DLT_ values in the header; the ifType values for LAN devices
|        * are:
|        *
|        *      Ethernet        6
|        *      Token Ring      9
|        *      FDDI            15
|        *
|        * which correspond to DLT_IEEE802 (used for Token Ring),
|        * DLT_PPP, and DLT_SLIP_BSDOS, respectively.  The ifType value
|        * for a loopback interface is 24, which currently isn't
|        * used by any version of libpcap I know about (and, as
|        * tcpdump.org are assigning DLT_ values above 100, and
|        * NetBSD started assigning values starting at 50, and
|        * the values chosen by other libpcaps appear to stop at
|        * 19, it's probably not going to be used by any libpcap
|        * in the future).
|        *
|        * We shall assume that if the minor version number is 2, and
|        * the network type is 6, 9, 15, or 24, that it's AIX libpcap.
|        *
|        * I'm assuming those older versions of libpcap didn't
|        * use DLT_IEEE802 for Token Ring, and didn't use DLT_SLIP_BSDOS
|        * as that came later.  It may have used DLT_PPP, however, in
|        * which case we're out of luck; we assume it's Token Ring
|        * in AIX libpcap rather than PPP in standard libpcap, as
|        * you're probably more likely to be handing an AIX libpcap
|        * token-ring capture than an old (pre-libpcap 0.4) PPP capture
|        * to Ethereal.
|        */
| 
| I don't know whether libpcap should do the same trick or not.

i think it should - if libpcap is not the place to get it [at least documented]
done where is then ?

/hannes
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: