--- Begin Message ---
(Opening this up to the full tcpdump-workers list, to get more user input.)
On Apr 30, 2020, at 11:40 AM, Francois-Xavier Le Bail
<devel.fx.leb...@orange.fr> wrote:
> The tcpdump manual states:
>
> -x When parsing and printing, in addition to printing the headers
> of each packet, print the data of each packet (minus its link
> level header) in hex. The smaller of the entire packet or
> snaplen bytes will be printed. Note that this is the entire
> link-layer packet, so for link layers that pad (e.g. Ethernet),
> the padding bytes will also be printed when the higher layer
> packet is shorter than the required padding.
>
> In "minus its link level header" (singular, thus one header), link level
> header should be understood
> as the DLT link level header ?
>
> E.g. for "IP over Fibre Channel printer" (print-ipfc.c), the LL header length
> is IPFC_HDRLEN (16) or
> caplen if the packet is truncated ?
>
> I ask the question because sometimes some other LL length are taken in
> account (LLC, etc.).
> I think it is confusing to mix in the "minus its link level header" the DLT
> LL and other upper layer
> link layers.
>
> We should just take in account the pseudo-header length in some cases e.g.
> DLT_NETANALYZER,
> DLT_NETANALYZER_TRANSPARENT, etc., added to Ethernet header length.
My *guess* is that the most *useful* interpretation of "link level header" is
"whatever, in an IP packet, would come before the IP header".
So that'd include, for example, the LLC header.
It would also, of course, take into account any metadata pseudo-headers, such
as the NetAlyzer headers the radiotap header for 802.11.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
