Re: Printing PPI packets

[Darren Reed <darren.reed () oracle com>]

On  5/05/11 11:16 AM, Guy Harris wrote:
> On May 5, 2011, at 11:07 AM, Darren Reed wrote:
>
>    
> > There are also libpcap issues here that need to be resolved. At present, using any filter with a PPI device fails to match 
> > any packet that doesn't have a DLT of DLT_IEEE802_11.
> >      
> ...which is one of the things wrong with PPI.  pcap-ng makes the link-layer type part of the record header, rather than part 
> of the record data, so you don't have to special-case the filtering routine (so that, for PPI, the filter routine would 
> pull the link-layer type out and run different filter programs based on the link-layer type) or have the BPF compiler 
> generate, for PPI, code that switches off the link-layer type and includes code to do the filtering for all possible 
> link-layer types.
>
> pcap-ng, and the first of those strategies for PPI, would require a routine that sets the filter on a pcap_t to a string, so that 
> code can be generated while reading the savefile as each link-layer type is discovered (unless you generate code for every 
> possible link-layer type and stash it away "just in case", but even that requires a different API).

I see - you're concerned about how do you make "tcpdump icmp" work when 
the link type is PPI (or pcap-ng) and the contents of the file could be 
a mixture of ethernet, Infiniband and others. The problem being that the 
location of the IP header is different in each, requiring a different 
program to be generated and applied.

Darren

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.