On 13/05/11 01:02 AM, Guy Harris wrote:
On May 13, 2011, at 12:52 AM, Darren Reed wrote:
The goal of this is quite specific: to allow packets on a network device
to have mixed link-layer headers present and be able to use tcpdump and
friends to push meaningful filters into the kernel. The general thrust
of that is towards IP, thus weird 802.2/PPP headers aren't really that
interesting from a problem perspective, however that doesn't mean they
get ignored.
Are the link-layer headers, or some component of them, of any interest in this
particular application? (Presumably so, otherwise you'd just be using
LINKTYPE_RAW, with all packets being IPv4 or IPv6 and starting with the
IPv{4,6} header, with the version field being used to distinguish between them.)
Right.
Is the *entire* link-layer header of interest, or only selected fields?
LINKTYPE_LINUX_SLL:
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
will supply a standardized packet type (Ethertype if it has one, 1 if it's the
crufty old IPX-directly-over-Ethernet stuff, 4 if the payload starts with an
802.2 header, protocols that have no Ethertype nor a DSAP nor an OUI/PID
combination for SNAP aren't allowed) and the sender's link-layer address, if
any, along with the Linux ARPHRD_ type for the device (to help you interpret
the sender address, presumably. If that supplies enough information, you could
use that.
That would require throwing away too much useful information.
Darren
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
