Re: again usb sniffing: RFC

[Guy Harris <guy () alum mit edu>]

Paolo Abeni wrote:

> - I'm not able to take advantage of the memory mapped access: the kernel
> prepend to each event an header that is quite different form the libpcap
> pcap_usb_header. To keep thinks working I need to modify 'in-place' this
> header (but this requires write access to the memory mapped area,
> currently not available and extremely dangerous) or change the
> pcap_usb_header to match the kernel provided one. In the latter scenario
> the data link type associated to the generated trace will be
> linux-specific.

We have some other headers that are OS-specific (DLT_ARCNET_LINUX vs. 
the BSD-specific DLT_ARCNET, DLT_LINUX_IRDA, DLT_LINUX_LAPD, 
DLT_APPLE_IP_OVER_IEEE1394), so I don't see that as a fatal flaw.

Is pcap_usb_header specified by any part of the USB spec?  If not, then 
one could argue that one header format not in the spec is just as good 
as any other, and we might as well go with the standard memory-mapped 
header - as long as the Linux USB developers preserve binary 
compatibility and don't change the header format at some point in the 
future.

If we do that, we'd want a DLT_USB_LINUX link-layer type, which would 
also deal with the binary-compatibility issues.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.