Re: live capture Ethernet gives me zero-packets

[Michael Richardson <mcr () sandelman ca>]

> > > > > "Andrej" == Andrej van der Zee <andrejvanderzee () gmail com> writes:
    >> (No, the "any" device doesn't give you Ethernet packets, even if,
    >> at the time you start the capture, the only interfaces on your
    >> machine are Ethernet interfaces.  If you want to capture on a
    >> particular Ethernet device, use its name, e.g. "eth0", in which
    >> case you'll presumably get packets that have Ethernet headers -
    >> although you should probably check the value returned by
    >> pcap_datalink() whenever you do any pcap_open call, including
    >> pcap_open_offline() to read from a savefile, or when you do
    >> pcap_create()/.../pcap_activate().)-
    >> 

    Andrej> Indeed I assumed that since I have only ethernet interfaces
    Andrej> that the link-type for any would be EN10MB. Now I now this
    Andrej> is false on Linux when using "any".

Correct.   It is a sad historical design limitation that libpcap did not
tell you where each layer starts.

I wrote some code C++, which I have placed under a do-anything license,
which disguishes between EN10B and LINKTYPE_LINUX_SLL/DLT_LINUX_SLL.

I am offline right now, so I can't post the exact link, but it's on
github.com, under mcr/unstrung, in lib/libfakeiface/pcap_iface.cpp.
I use this code to let me use pcap files as input to other code as part
of unit testing.  There is some hackery as I only care about IPv6, but
you can likely adapt.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
                       then sign the petition. 

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.