Re: pcap and loopback headers

[Guy Harris <guy () alum mit edu>]

Adam M. wrote:
> This is probably a FAQ++, but I'm having trouble using Pcap for
> savefiles that were captured from a loopback device.
>
> There are 2 problems here:
> 1) In general, how is one supposed to determine what the layer-2
> protocol is?

Call pcap_datalink() on the pcap_t.  It'll indicate what the layer-2 
*header* is - which might not directly correspond to the type of device 
on which you're capturing; 802.11 device drivers and devices might 
supply Ethernet headers (DLT_EN10MB) or 802.11 headers (DLT_IEEE802_11) 
or 802.11 headers plus radio information (DLT_PRISM_HEADER, 
DLT_IEEE802_11_RADIO, DLT_IEEE802_11_RADIO_AVS), and loopback devices 
might supply traditional BSD-style loopback headers (DLT_NULL) or 
OpenBSD-style loopback headers (DLT_LOOP) or Ethernet headers (DLT_EN10MB).

> 2) It seems that the loopback header format is different for Linux and
> BSD/Mac. Linux seems to 'fake' the header with an Ethernet-style format
> with zero'd out source/destination addresses, and only fill in the
> layer-3 protocol number. BSD/Mac use a single 4-byte field to indicate
> the layer-3 protocol number.

Exactly.

Furthermore, different BSDs have different headers; FreeBSD, NetBSD, and 
OS X supply DLT_NULL headers, with the 4-byte field being in host byte 
order, and newer versions of OpenBSD supply DLT_LOOP headers, with the 
4-byte field being in *network* byte order.

In addition, with DLT_NULL and DLT_LOOP, IPv4 has the same layer-3 
protocol number in all BSDs (AF_INET is 2 in all of them), but IPv6 has 
different link-layer type values in different BSDs (AF_INET6 is 24 in 
OpenBSD and NetBSD, 28 in FreeBSD, and 30 in OS X/Darwin).

> How does one handle this when parsing packets read from Pcap?

By using pcap_datalink() to determine the link-layer header type.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.