Re: Is any work going on to improve the pcap format so we have have multuple link-types per capture?

[Richard Sharpe <rsharpe () richardsharpe com>]

On Mon, 9 Jun 2003, Guy Harris wrote:

Cc list trimmed ...

> On Mon, Jun 09, 2003 at 10:39:26PM -0700, Richard Sharpe wrote:
> > It seems to me that this is overkill for what we want/need, and it does 
> > not define the encap as DLT types. Rather, it defines them as Ethernet 
> > Wiretap enacp types,
>
> s/Ethernet/Ethereal/
>
> > which is not good enough!
>
> Which is, in fact, completely bogus, as Ethereal may well change
> WTAP_ENCAP_ values at any time (and, in fact, has changed them in the
> lifetime of the Tazmen stuff).
>
> Ethereal now treats them as Tazmen-specific values (that happen to have
> the same values as *some* of the WTAP_ENCAP_ values as of when the
> Tazmen support was first checked into Ethereal).
>
> DLT_ types are the right answer for libpcap, however.

Right. Here is a more complete suggestion:

/*
 * This could actually be any value you like ...
 */
#define DLT_COMMENT 0xFFFE
/*
 * This next value is set to keep it out of the way
 */
#define DLT_VAR_LINKTYPE 0xFFFF
/*
 * And here is the pkt_hdr_var structure
 * Note that after the linktype, everyting looks like a normal libpcap
 * format pkthdr structure ...
 */
struct pcap_hdr_encap {
  bpf_u_int32 linktype;
  struct pcap_pkthdr hdr;
}; 

> Note, though, that trying to make BPF filter those is non-trivial.

Right, but I am not sure that we want to do this.

-- 
Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe