rather than calling it a fake-link, why not a raw capture. We have precedent from the various raw protocol support on some versions of UNIX (which unfortunately seems to have meant raw-IP).
Secondly, rather than having a 16-bit protocol type, how about a 32-bit protocol type which would allow us to, say map IP-types and port-numbers etc without having to resort to more large tables.
Of, how about having a variable length type with:
First field being DLT-TYPE Second field being a sub-type based on that Third field being ...
Thus, a raw IP capture might have header types of:
0x0006 0x0001 0x0805 <capture-len> <data>
^ ^ ^
| | |
| | +----- IP ...
| +---------- DLT_EN10MB (ethernet II?)
+----------------- 6-bytes total type infoRegards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
