On Fri, Oct 05, 2001 at 02:33:19PM +0100, Georgios Papadopoulos wrote:
> I was wondering if it is possible to capture frame relay traffic from a
> wire, using libpcap or WinPcap.
>
> Does libpcap have the ability to detect the encapsulation type of a packet
> if that is frame relay, using pcap_datalink()?
Only if the OS and raw packet capture mechanism atop which it runs can
do so.
FreeBSD's tcpdump has a "print-fr.c" file, but FreeBSD has no DLT_ type
for frame relay, and the dissector in "print-fr.c" never gets called,
which suggests that the underlying packet capture mechanism may not
handle "raw" frame relay - the OS may only run, for example, PPP over
Frame Relay, so the traffic will look like PPP traffic, with DLT_PPP as
the encapsulation type.
BSD/OS has a DLT_FR type, but I don't know what the link-layer headers
on DLT_FR captures are in BSD/OS - i.e., BSD/OS's libpcap may support
it, but we don't have enough information to add that support to
tcpdump.org's libpcap (or to programs that run atop libpcap, such as
tcpdump or Ethereal).
Linux has ARPHRD_DLCI and ARPHRD_FRAD, but I don't know what link-layer
headers show up when capturing from a PF_PACKET/SOCK_RAW socket on such
a device, or whether, as is all too often the case on Linux, the
link-layer headers include random unpredictable crap.
DLPI has a link-layer type code for Frame Relay LAPF, but I don't know
what shows up if you capture on it.
I don't know what happens on Win32 systems with the WinPcap driver; NDIS
has the annoying characteristic of having only a generic NdisMediumWan
link-layer type, which isn't sufficient to indicate whether the
link-layer header will be PPP, or some form of raw Frame Relay, or....
See
http://www.ethereal.com/lists/ethereal-dev/200101/msg00065.html
for a mail message from January 2001 about some of these issues.
So:
if a Frame Relay network interface is running as a PPP interface
(PPP-over-Frame-Relay), the underlying packet capture mechanism
will probably make it look like other PPP devices, and libpcap
will be able to capture from it if it can do so on other PPP
devices (which it *can't* do, for example, on Windows NT/2000),
but the capture will just be a PPP capture;
otherwise, if the interface doesn't look like a PPP interface:
on Linux, it might work, but it'll currently work as a
"cooked mode" capture, and not show any Frame Relay
link-layer headers - we'd need to send code to somebody
with a Linux machine with a Frame Relay interface, and
have them test out changes, in order to see whether we
can see the Frame Relay headers and, if we can, to debug
code to show those headers;
on other OS platforms, we'd need to send code to
somebody with that OS and with a Frame Relay interface,
and have them test out changes, in order to see whether
we can make libpcap work and, if we can, to debug code
to make it work.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
