Re: tcpdump: patches required for OpenSolaris/SXCE

[Guy Harris <guy () alum mit edu>]

On Nov 25, 2009, at 10:55 AM, Darren Reed wrote:

> On 11/24/09 18:31, Michael Richardson wrote:
> > Darren, thanks!
> >
> > Please pull from the git tree, and run "./configure; make check"
> > I would appreciate it if you have any pcap files of formats:
> >  DOCSIS (DOCSIS) (printing not supported)
>
> This seems to be an inherent part of libpcap?
> BPF on Solaris doesn't report that, pcap adds it...
> See pcap-bpf.c:get_dlt_list()

DLT_DOCSIS is there for the benefit of Cisco cable modem head-end  
devices - they will put onto an Ethernet segment DOCSIS frames  
encapsulated in *very* low-level Ethernet framing, where "*very* low- 
level" means "layer 1", i.e. there is no Ethernet 14-octet header, the  
frame is all DOCSIS.

It predates Darren's work.

The idea is that, if you're really capturing DOCSIS traffic on your  
Ethernet segment, you'll use the "-y" flag to set the link-layer type  
to DLT_DOCSIS (or use a GUI equivalent), so the capture will be tagged  
as DOCSIS rather than Ethernet, and an application that handles that  
(e.g., Wireshark) will dissect it appropriately.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.