Wireshark mailing list archives
Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark?
From: Guy Harris <guy () alum mit edu>
Date: Thu, 10 May 2012 19:22:12 -0700
On May 10, 2012, at 7:11 PM, Richard Sharpe wrote:
On Thu, May 10, 2012 at 7:05 PM, Guy Harris <guy () alum mit edu> wrote:The messages from dumpcap to Wireshark on the sync pipe just say things such as "there are N more packets to read from the capture file" or "I've stopped writing to that capture file and am now writing to a capture file with this pathname"; they do not say "this capture has link-layer header type XXX", or even "this capture has a new interface with link-layer header type XXX" (given that "this capture has link-layer type XXX" is insufficient to fully support capturing on multiple interfaces, which 1.7.x supports).It would seem that we need to say "this packet has link-layer type XXX" and the pcap-opts that is passed some of the way in supports that, it seems.
The way that we say "this packet has link-layer type XXX" is that wtap_read() fills in a structure that includes the packet's WTAP_ENCAP value. How the WTAP_ENCAP value is determined is dependent on the file type - all packets in a pcap file have the WTAP_ENCAP value from the file header, packets from a pcap-ng file have an interface ID that refers to an already-seen IDB that gives the WTAP_ENCAP value for packets on that interface, etc. That's independent of the capture options. When capturing on an interface supported by libpcap/WinPcap, the option that's passed in for that interface has a DLT_ value to pass to pcap_set_datalink() after that interface is opened (for most interfaces, there's only one possible DLT_ value, and that's the one that's passed in); when capturing on a pipe, the link-layer header type cannot be set, as the packets being written to the pipe have whatever header they have. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Richard Sharpe (May 12)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Guy Harris (May 10)
- Re: How does dumpcap.c communicate linktype when pushing packets into the rest of Wireshark? Jeff Morriss (May 10)