pcap and loopback headers

["Adam M." <pcap () irotas net>]

This is probably a FAQ++, but I'm having trouble using Pcap for
savefiles that were captured from a loopback device.

There are 2 problems here:
1) In general, how is one supposed to determine what the layer-2
protocol is? I've traditionally always assumed Ethernet, because I don't
know how to determine it automatically.

2) It seems that the loopback header format is different for Linux and
BSD/Mac. Linux seems to 'fake' the header with an Ethernet-style format
with zero'd out source/destination addresses, and only fill in the
layer-3 protocol number. BSD/Mac use a single 4-byte field to indicate
the layer-3 protocol number. How does one handle this when parsing
packets read from Pcap?

Thanks,
Adam
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.