Re: Npcap 0.04 call for test

[Guy Harris <guy () alum mit edu>]

On Aug 18, 2015, at 9:22 AM, Jim Young <jyoung () gsu edu> wrote:

> Instead of supplying an ethernet header with the mac addresses of all zeros, would it make more sense to supply a 
> NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface?

It looks as if the loopback interface supplies only IPv4 and IPv6 packets.

In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.

For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP datagram.  For DLT_NULL, the 4-byte header 
is in the byte order of the host on which the capture is being done; for DLT_LOOP, it's in network byte order.  The 
value is 2 for IPv4 and, for IPv6:

        24 for OpenBSD, NetBSD, and BSD/OS;
        28 for FreeBSD;
        30 for OS X and iOS;
        10 for Linux;
        26 for Solaris;
        23 for Windows;

because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't define AF_INET6, so everybody ran off and 
defined it differently.

For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet looks at the version number in the IP 
header to determine whether it's IPv4 or IPv6.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe