Re: [PATCH libpcap] linktype: add netlink link/dlt type

[Guy Harris <guy () alum mit edu>]

On Jul 20, 2013, at 12:16 PM, Daniel Borkmann <dborkman () redhat com> wrote:

> On 07/19/2013 08:23 PM, Guy Harris wrote:
> > On Jul 3, 2013, at 3:49 AM, Daniel Borkmann <dborkman () redhat com> wrote:
> >
> > > For pcap interoperability, introduce a common link type for netlink
> > > captures.
> >
> > What do the link-layer headers for this look like?
>
> That is struct nlmsghdr, found in include/uapi/linux/netlink.h.

I.e., what is captured are netlink messages, as described by, for example, section 3.4 "Netlink message format" of:

        http://1984.lsi.us.es/~pablo/docs/spae.pdf

or section 2.2 "Message Format" of

        http://tools.ietf.org/html/rfc3549

> > Presumably making that work also involves changes to libpcap to support
> > capturing on nlmon devices (so that DLT_NETLINK is returned for them) and,
> > if you're not using the -w flag to tcpdump, changes to tcpdump to analyze
> > DLT_NETLINK packets.
>
> Right, for the device type identification, this is being exported as
> ARPHRD_NETLINK (include/uapi/linux/if_arp.h) in pf_packet's sll's
> sll_hatype member.
>
> I can have a look how libpcap handles this and send a follow-up patch
> for further inclusion next week if wished.

If the nlmon device look like regular network interfaces to which you can bind a PF_PACKET socket, then libpcap handles 
this in the switch statement in map_arphrd_to_dlt() - add a case for ARPHRD_NETLINK and map it to DLT_NETLINK.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers