On Wed, May 13, 2015 at 11:08:01AM +0200, Daniel Borkmann wrote:
> On 05/10/2015 02:37 PM, Vadim Kochan wrote:
> >From: Vadim Kochan <vadi...@gmail.com>
> >
> >Since Netlink messages are written in default pcap format there is no
> >way to identify Netlink family by socket protocol number, so
> >use pcap cooked header for Netlink messages as described here:
> >
> > http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html
> >
> >Signed-off-by: Vadim Kochan <vadi...@gmail.com>
>
> Thanks for looking into this, Vadim!
>
> One preliminary question: you would only set that for netlink or
> also for other protocols?
Meanwhile it is useful only for Netlink link type.
>
> The basic issue is that normal pcap hdr in front of every captured
> packet looses this information for the dissector, but alternative
> formats such as kuznet/netsniff-ng format still have it preserved,
> but are not supported by tools like wireshark.
Well, the main motivation was:
1) support saving Netlink protocol info by default in pcap file w/o
setting the magic type.
2) compatibility with Wireshark (not so important but ...)
Of course using borkmann's/kuznetsov's pcap headers solve this issue.
So the options which I see are:
If you think that setting the magic type is enough then ignore the
patch (at least it was funny to achieve the goal :-) ),
but at least the manual page should have a comment that for
Netlink messages it is better to use borkmann's/kuznetsov's format,
and thats is :-)
>
> Ok. Thinking out loud, what if we add another pcap type as an option
> to choose?
Regards,
Vadim Kochan
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
