tcpdump mailing list archives
Re: Compile libpcap with DLT_LINUX_SLL2
From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Sat, 9 May 2020 00:15:23 -0400 (EDT)
--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Fri, 8 May 2020 21:17:16 -0700
On May 8, 2020, at 10:47 AM, Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:No, nobody appears to have contributed a change to add support to epan/dissectors/packet-sll.c yet.I just did; it was a significant enough change to a bit of infrastructure used by other dissectors that it's probably not a candidate for backporting, but it should show up in the 3.4 release, which should come out some time this year. The main clients of libpcap on Linux are probably: 1) tcpdump - already supports SLL2 in the main branch, so will be supported in 5.0; 2) Wireshark - now supports SLL2 in the main branch, so will be supported in 3.4; 3) some others - Snort? Scapy? Bro^WZeek? Any other ideas? Snort and its daq library, as of the latest release tarballs understand SLL but not SLL2. Snort3/Snort++ and its daq library appear to understand neither in the master branch. Scapy appears to understand SLL but not SLL2 in the master branch. Zeek appears to have a tiny bit of understanding of SLL but not SLL2 in the master branch; it might be that it runs with a filter such as "ip" or "ip or ip6", so all it needs to know is how to skip over the link-layer header, which it does. So, for now, I guess defaulting to SLL2 in tcpdump is the best answer, as it won't surprise any other software's live capture. If new versions of various Linux distribution come out with the new tcpdump at about the same time as the new Wireshark comes out, it shouldn't cause problems with Wireshark reading tcpdump captures.
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 08)
- Message not available
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 08)
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 08)
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 08)
- Message not available
- <Possible follow-ups>
- Re: Compile libpcap with DLT_LINUX_SLL2 Guy Harris via tcpdump-workers (May 08)
- Re: Compile libpcap with DLT_LINUX_SLL2 Guy Harris via tcpdump-workers (May 08)
- Re: Compile libpcap with DLT_LINUX_SLL2 Guy Harris via tcpdump-workers (May 08)
- Re: Compile libpcap with DLT_LINUX_SLL2 Bill Fenner via tcpdump-workers (May 09)
- Re: Compile libpcap with DLT_LINUX_SLL2 Guy Harris via tcpdump-workers (May 08)
- Re: Compile libpcap with DLT_LINUX_SLL2 Guy Harris via tcpdump-workers (May 09)
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 10)
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 10)
- Re: Compile libpcap with DLT_LINUX_SLL2 Francois-Xavier Le Bail via tcpdump-workers (May 10)
- Re: Compile libpcap with DLT_LINUX_SLL2 Petr Vorel via tcpdump-workers (May 12)