This is what PPI does. http://www.cacetech.com/documents/PPI%20Header%20format%201.0.10.pdf
There is already a DLT for PPI (DLT_PPI). The only difference from your solution is that the minimum header before the packet is 8 bytes (instead of 4). The advantage is that Wireshark already supports this DLT. Have a nice day GV -----Original Message----- From: tcpdump-workers-ow...@lists.tcpdump.org [mailto:tcpdump-workers-ow...@lists.tcpdump.org] On Behalf Of Darren Reed Sent: Tuesday, December 28, 2010 7:02 PM To: tcpdump-workers@lists.tcpdump.org Subject: [tcpdump-workers] Request for new DLT number I've been looking through all of the DLT decoders looking for one that has just the DLT number in the header but I couldn't find one. Is there an existing DLT that matches this description? Otherwise, I'd like to request DLT_DLT (or something like that) be allocated to represent a 4 byte (network order) integer value that describes the DLT of the following data. In pcap files, it would roughly translate to the following being possible: [pcap file header, dlt = DLT_DLT] [pcap header with time stamp] [4 bytes, = DLT_EN10MB] [ethernet packet] [pcap header with time stamp] [4 bytes, = DLT_PPP] [ppp packet] Yes, I understand that "next gen pcap" can do this, no I don't want to use "next gen pcap" because that amount of change is just too big. Darren - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
