Re: Link Layer Type Request NETANALYZER_NG

[Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Guy Harris <gharris () sonic net>
>
> Date: Mon, 22 Mar 2021 22:36:12 -0700
>
> On Mar 22, 2021, at 7:33 AM, Jan Adam <JAdam () hilscher com> wrote:
>
> > > Are they aligned on natural boundaries?
> >
> > No, it is not aligned but packet.  We use #pragma pack(1) for the footer structure.
>
> You should probably add that to the page with the structure definition.
>
> > > What do the four fields of the SrcID indicate for the various values of Representation?
> >
> > For Representation 0x01 to 0x05 their meaning is defined as following:
> > tSrcId.ulPart1netANALYZER device number
> > tSrcId.ulPart2netANALYZER serial number
> > tSrcId.bPart4netANALYZER port number
> >
> > For Representation 0x02 to 0x05
> > tSrcId.bPart3netANALYZER TAP name (as character, e.g. 'A' = 0x41 or 'B')
> >
> > For Representation 0x01
> > tSrcId.bPart3netANALYZER TAP number
>
> That should also be noted in the specification.
>
> > > What other possible values of PayloadType are there?
> >
> > The PayloadType has the following possible values but they are not usefull for capturing network traffic. So the only 
> > value in the context of packet data will be 0x0A which represents DATATYPE_OCTET_STRING.
> >
> > #define VAR_DATATYPE_BOOLEAN        0x01
>
>         ...
>
> > #define VAR_DATATYPE_NONE           0xff
>
> It should also note that the other values are reserved and will not appear in pcap or pcapng files.
>
> > > > Slicing a captured packet is not supported by our capturing device.
> >
> > > But some software can slice packets afterwards.  Either that would have to be forbidden (meaning editcap and, I 
> > > think, tcpdump would have to check for LINKTYPE_NETANALYZER_NG/DLT_NETANALYZR_NG and refuse to do slicing), or they 
> > > would have to 1) ensure that the slice size is >= the footer size and 2) do the slicing specially, removing bytes 
> > > *before* the footer, so that if incl_len < VarSize + footer_size, (VarSize + footer_size) - incl_len bytes have been 
> > > sliced off.
> >
> > Both might be possible path to take for slicing. In any case the PayloadSize should also be adjusted when the payload 
> > length is changed in my opinion. Is this a Problem?
>
> So, with incl_len equal to {PayloadSize,VarSize} + 54, orig_len would be equal to {original PayloadSize} + 54, so the 
> original payload size would be orig_len - 54.
>
> That would allow the original size and the sliced size of the payload to be calculated, so that should work.
>
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers