tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

What's the "link level header" in "minus its link level header" for the -x flag?

From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 30 Apr 2020 15:05:02 -0400 (EDT)
--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Thu, 30 Apr 2020 12:06:35 -0700
(Opening this up to the full tcpdump-workers list, to get more user input.)

On Apr 30, 2020, at 11:40 AM, Francois-Xavier Le Bail <devel.fx.lebail () orange fr> wrote:


The tcpdump manual states:

      -x     When parsing and printing, in addition to printing  the  headers
             of  each  packet,  print the data of each packet (minus its link
             level header) in hex.  The  smaller  of  the  entire  packet  or
             snaplen  bytes  will  be  printed.  Note that this is the entire
             link-layer packet, so for link layers that pad (e.g.  Ethernet),
             the  padding  bytes  will  also be printed when the higher layer
             packet is shorter than the required padding.

In "minus its link level header" (singular, thus one header), link level header should be understood
as the DLT link level header ?

E.g. for "IP over Fibre Channel printer" (print-ipfc.c), the LL header length is IPFC_HDRLEN (16) or
caplen if the packet is truncated ?

I ask the question because sometimes some other LL length are taken in account (LLC, etc.).
I think it is confusing to mix in the "minus its link level header" the DLT LL and other upper layer
link layers.

We should just take in account the pseudo-header length in some cases e.g. DLT_NETANALYZER,
DLT_NETANALYZER_TRANSPARENT, etc., added to Ethernet header length.


My *guess* is that the most *useful* interpretation of "link level header" is "whatever, in an IP packet, would come 
before the IP header".

So that'd include, for example, the LLC header.

It would also, of course, take into account any metadata pseudo-headers, such as the NetAlyzer headers the radiotap 
header for 802.11.

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: