tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is any work going on to improve the pcap format so we have have multuple link-types per capture?

From: Guy Harris <gharris () sonic net>
Date: Mon, 9 Jun 2003 22:49:39 -0700
On Mon, Jun 09, 2003 at 10:39:26PM -0700, Richard Sharpe wrote:

It seems to me that this is overkill for what we want/need, and it does 
not define the encap as DLT types. Rather, it defines them as Ethernet 
Wiretap enacp types,


s/Ethernet/Ethereal/


which is not good enough!


Which is, in fact, completely bogus, as Ethereal may well change
WTAP_ENCAP_ values at any time (and, in fact, has changed them in the
lifetime of the Tazmen stuff).

Ethereal now treats them as Tazmen-specific values (that happen to have
the same values as *some* of the WTAP_ENCAP_ values as of when the
Tazmen support was first checked into Ethereal).

DLT_ types are the right answer for libpcap, however.

Note, though, that trying to make BPF filter those is non-trivial.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: