tcpdump mailing list archives

Re: [AiG-CERT #104737] DLT value

From: Airbus CERT via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 2 Jun 2020 09:58:02 +0200

--- Begin Message --- From: Airbus CERT <cert () airbus com>
Date: Tue, 2 Jun 2020 09:58:02 +0200

Hello,

The layout is https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header following by one or 
more https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header_extended_data_item depending 
of the flag _EVENT_HEADER.Flags. I strictly follow the two upper links.

Another good point for including ETW capability is a new way for network capture 
https://docs.microsoft.com/en-us/message-analyzer/microsoft-windows-ndis-packetcapture-provider without requiring to an 
NDIS driver. 

Thanks for all your works on my PR,

Have a nice day,

Sylvain

-- 
-- 
Don't hesitate to contact us if you have questions or need assistance.

Best regards,

Airbus CERT (AiG CERT)

Airbus CERT
PGP KeyId: 527B1472
PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472

On Tue Jun 02 09:44:07 2020, gharris () sonic net wrote:

On Jun 2, 2020, at 12:22 AM, Airbus CERT via tcpdump-workers <tcpdump-
workers () lists tcpdump org> wrote:

Yes exactly each packet is an event. The layout of the event is
https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-
evntcons-event_header and https://docs.microsoft.com/en-
us/windows/win32/api/evntcons/ns-evntcons-
event_header_extended_data_item. But we aligned this format with the
ETL (serialization use by microsoft) which is not well documented.

Is it documented at all?
The description of a given LINKTYPE_/DLT_ value on
        https://www.tcpdump.org/linktypes.html
and the pages linked to by that description must be sufficient to
allow somebody to write code to, at minimum, parse the link-layer
headers, without ever looking at Wireshark or tcpdump code.


The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the 
addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public 
networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus 
immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take 
whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.

--- End Message ---

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

[AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (May 29)
- Re: [AiG-CERT #104737] DLT value Guy Harris via tcpdump-workers (May 29)
- Message not available
  - Message not available
    - Re: [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (Jun 02)
    - Re: [AiG-CERT #104737] DLT value Guy Harris via tcpdump-workers (Jun 02)
    - Message not available
    - Message not available
    - Re: [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (Jun 02)
    - Re: [AiG-CERT #104737] DLT value Guy Harris via tcpdump-workers (Jun 11)
    - Message not available
    - Message not available
    - Message not available
    - Re: [AiG-CERT #104737] DLT value Airbus CERT via tcpdump-workers (Jun 11)