Re: Problem with generation of Pcap traces for

[Johan Mazel <johan.mazel () gmail com>]

Hello

(802.11 isn't a version of Ethernet.)
> If your 802.11 device supplies "fake Ethernet" headers, you can aggregate
> its packets with Ethernet packets; if it supplies 802.11 headers, with or
> without radio headers, you can't.

Ok, I'll verify this point.


> I mean that with my different pcap_t, I will be able to set a certain
>
> Then what you should do in *that* case is:
>
>        open - either with pcap_open_live(), or
> pcap_create()/pcap_activate() - the interfaces on which you'll be capturing,
> and make sure they all provide the same link-layer type;
>
>        open - with pcap_open_dead() - a pcap_t, with the link-layer type
> being the same as the link-layer type of all the interfaces on which you're
> capturing, and with the snapshot length being the snapshot length you'll be
> writing to the capture file;
>
>        open - with pcap_dump_open() - a pcap_dumper_t, and use the pcap_t
> you got from pcap_open_dead() in the pcap_dump_open() call, so that the dump
> file has the right snapshot length specified.

That was my idea. :)
Thanks for the suggestion to use pcap_open_dead(), I didn't really
understood the point of pcap_open_dead() until this message despite the fact
that it's not really the first time that you tell me to use it.
I suppose that the values for linktype are the ones I'm talking in my first
mail : 01 for Ethernet, 06 for Token Ring, 07 for ARCnet, etc... ???

Thanks for your time.
Johan
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.