Re: [PATCH] libpcap: Add datalink-type to match IEEE 802.15.4 ARP hardware type

[Guy Harris <guy () alum mit edu>]

On Apr 8, 2010, at 1:25 PM, Luca Bruno wrote:

> Since Linux 2.6.30, IEEE 802.15.4 interfaces got assigned a proper
> ARP hardware type (ARPHRD_IEEE802154 - 804).
> This patch introduces the relevant code to match it with its own
> DLT type.
> There are currently three different types for it, but DLT_IEEE802_15_4
> is the safest standard choice.

The "safest standard choice" for the interpretation of ARPHRD_IEEE802154 is whatever format you get for packets from a 
device with that ARPHRD_ value.  (If there is no single format for that ARPHRD_ value, then there is *no* appropriate 
choice for it until Linux chooses a single format and, if necessary, adds different ARPHRD_ values for other formats.)

According to pcap/bpf.h:

        DLT_IEEE802_15_4_LINUX is "IEEE 802.15.4, with address fields padded, as is done by Linux drivers";

        DLT_IEEE802_15_4 is "IEEE 802.15.4, exactly as it appears in the spec (no padding, no nothing);

        DLT_IEEE802_15_4_NONASK_PHY is "IEEE 802.15.4, exactly as it appears in the spec (no padding, no nothing), but 
with the PHY-level data for non-ASK PHYs (4 octets * of 0 as preamble, one octet of SFD, one octet of frame 
length+reserved bit, and then the MAC-layer data, starting with the frame control field)".

If you write out a file with DLT_IEEE802_15_4, can Wireshark read it?  If not, DLT_IEEE802_15_4 is the wrong choice, as 
Wireshark's dissector for WTAP_ENCAP_IEEE802_15_4 is pretty much by definition correct (DLT_IEEE802_15_4 maps to 
WTAP_ENCAP_IEEE802_15_4, and DLT_IEEE802_15_4 is, as indicated, "IEEE 802.15.4, exactly as it appears in the spec", the 
spec being the definition) and will not be changed to handle 802.15.4 link-layer headings with non-standard changes.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.