tcpdump mailing list archives
Re: [AiG-CERT #104737] DLT value
From: Airbus CERT via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 2 Jun 2020 09:58:02 +0200
--- Begin Message --- From: Airbus CERT <cert () airbus com>
Date: Tue, 2 Jun 2020 09:58:02 +0200
Hello, The layout is https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header following by one or more https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header_extended_data_item depending of the flag _EVENT_HEADER.Flags. I strictly follow the two upper links. Another good point for including ETW capability is a new way for network capture https://docs.microsoft.com/en-us/message-analyzer/microsoft-windows-ndis-packetcapture-provider without requiring to an NDIS driver. Thanks for all your works on my PR, Have a nice day, Sylvain -- -- Don't hesitate to contact us if you have questions or need assistance. Best regards, Airbus CERT (AiG CERT) Airbus CERT PGP KeyId: 527B1472 PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 On Tue Jun 02 09:44:07 2020, gharris () sonic net wrote:On Jun 2, 2020, at 12:22 AM, Airbus CERT via tcpdump-workers <tcpdump- workers () lists tcpdump org> wrote:Yes exactly each packet is an event. The layout of the event is https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns- evntcons-event_header and https://docs.microsoft.com/en- us/windows/win32/api/evntcons/ns-evntcons- event_header_extended_data_item. But we aligned this format with the ETL (serialization use by microsoft) which is not well documented.Is it documented at all? The description of a given LINKTYPE_/DLT_ value on https://www.tcpdump.org/linktypes.html and the pages linked to by that description must be sufficient to allow somebody to write code to, at minimum, parse the link-layer headers, without ever looking at Wireshark or tcpdump code.The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (May 29)
- Re: [AiG-CERT #104737] DLT value Guy Harris via tcpdump-workers (May 29)
- Message not available
- Message not available
- Re: [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (Jun 02)
- Re: [AiG-CERT #104737] DLT value Guy Harris via tcpdump-workers (Jun 02)
- Message not available
- Message not available
- Re: [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (Jun 02)
- Re: [AiG-CERT #104737] DLT value Guy Harris via tcpdump-workers (Jun 11)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (Jun 11)