Re: Request for new DLT and LINKTYPE value

[Guy Harris <guy () alum mit edu>]

On Apr 13, 2010, at 8:53 AM, Edgar, Thomas wrote:

> We are targeting framed protocols over serial, such as the serial versions of DNP3 and Modbus,

Then perhaps the right thing to do is to have *multiple* DLT_/LINKTYPE_ values, one for each protocol, and use the 
particular protocol's framing mechanism when capturing a particular protocol.  libpcap has an API to select link-layer 
type headers; it was originally introduced to support a BSD BPF mechanism that let 802.11 devices default to 
fake-Ethernet headers for backwards compatibility and allow 802.11-knowledgable applications select 802.11 headers, but 
it's also used with, for example, Endace DAG serial-line cards to select the link-layer type being used with those 
cards, as well as to handle Cisco's cable modem head-end systems which can spew out DOCSIS frames inside low-level 
Ethernet framing for tracing.

That API is supported by tcpdump and Wireshark/TShark, so if the code to capture those link-layer types also supports 
it, it should Just Work.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.