Re: Problem with generation of Pcap traces for

[Guy Harris <guy () alum mit edu>]

On May 16, 2009, at 3:18 AM, Johan Mazel wrote:

> Does this restriction means that I can't aggregate trace of different
> version of Ethernet (eg.: 802.3 and 802.11) ?

(802.11 isn't a version of Ethernet.)

If your 802.11 device supplies "fake Ethernet" headers, you can  
aggregate its packets with Ethernet packets; if it supplies 802.11  
headers, with or without radio headers, you can't.

> I mean that with my different pcap_t, I will be able to set a certain
> snapshot length for all the pcap_t related to the capture and a  
> different
> snapshot length for the trace file generation.
> If for example, I just want to process the full packets but just log  
> the
> headers of the packets.

Then what you should do in *that* case is:

	open - either with pcap_open_live(), or pcap_create()/pcap_activate()  
- the interfaces on which you'll be capturing, and make sure they all  
provide the same link-layer type;

	open - with pcap_open_dead() - a pcap_t, with the link-layer type  
being the same as the link-layer type of all the interfaces on which  
you're capturing, and with the snapshot length being the snapshot  
length you'll be writing to the capture file;

	open - with pcap_dump_open() - a pcap_dumper_t, and use the pcap_t  
you got from pcap_open_dead() in the pcap_dump_open() call, so that  
the dump file has the right snapshot length specified.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.