Re: Reading capture files with an unknown link-layer header type

[Francois-Xavier Le Bail via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Francois-Xavier Le Bail <devel.fx.lebail () orange fr>
>
> Date: Sat, 13 Jun 2020 14:23:00 +0200
>
> On 12/06/2020 07:31, Guy Harris via tcpdump-workers wrote:
> > François checked in a change to tcpdump so that, if it's handed a capture file with a link-layer header type for 
> > which it has no dissector, it just dumps the packet data in hex, rather than failing with an indication that the 
> > header type isn't supported.
> >
> > However, pcap_compile(), in *libpcap*, will fail with an unknown header type - and tcpdump always hands a filter to 
> > pcap_compile(), even if it's a null string (which means "accept every packet").
> >
> > It doesn't fail with *known* filter types for which most filters are unsupported, it just rejects most of them (other 
> > than "link[M:N]").
> >
> > Is there any reason *not* handle link-layer types unknown to libpcap in pcap_compile()?
>
>
> No reason.
> We should decode them in hex/ASCII like with the previous change with perhaps a warning like:
> "Warning: link-type 290 is not in libpcap range"
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers