On Dec 28, 2010, at 8:23 PM, Gianluca Varenni wrote: > This is what PPI does. > > http://www.cacetech.com/documents/PPI%20Header%20format%201.0.10.pdf
That document misspells "linktype" as "dlt". :-) DLT_ values are platform-dependent; there is no guarantee that DLT_xxx will have the same value on all platforms. The values that appear in pcap and pcap-ng packet headers are LINKTYPE_ values, which are currently not defined in a public header file (they're defined in libpcap's savefile.c (in older versions of libpcap) or pcap-common.c (libpcap 1.1.0 and later), but that's only because there isn't yet an API that uses them. 99 44/100% of the DLT_ definitions are the same as the equivalent LINKTYPE_ values; the exceptions are the DLT_ definitions that were given different values in different OSes, e.g. DLT_RAW (14 in OpenBSD, 12 everywhere else). Currently, tcpdump.org, when it assigns a new value, gives the same value to DLT_xxx and LINKTYPE_xxx. (LINKTYPE_RAW is 101; capture files should *not* use 14 or 12 to indicate a raw IP capture, they should use 101.)- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
