On Thu, Jul 25, 2002 at 02:14:58PM -0700, Joe Amici wrote:
> I understand that using the "any" interface allows
> libpcap to capture on all interfaces on Linux. What
> API should an application of libpcap use to
> differentiate between which packet was received on
> which interface ?
There is no API to use.
You'd have to add a new DLT_ type to use for cooked-mode captures and
modify libpcap to add the "interface index" field to the link-layer
header for that DLT_ type.
> I was looking at the hex dump of the packet that
> tcpdump catures for two cases -- "eth0" and "any". For
> similar packets, I saw an additional 2-byte field
> before the ip header in the case of "any" capture. I
> am presuming this is the interface info I need to
> access.
Nope. The man page for libpcap 0.7.1 says:
pcap_datalink() returns the link layer type; link layer
types it can return include:
...
DLT_LINUX_SLL
Linux "cooked" capture encapsulation; the link
layer header contains, in order:
a 2-byte "packet type", in network byte
order, which is one of:
0 packet was sent to us by somebody
else
1 packet was broadcast by somebody
else
2 packet was multicast, but not
broadcast, by somebody else
3 packet was sent by somebody else to
somebody else
4 packet was sent by us
a 2-byte field, in network byte order, con-
taining a Linux ARPHRD_ value for the link
layer device type;
a 2-byte field, in network byte order, con-
taining the length of the link layer address
of the sender of the packet (which could be
0);
an 8-byte field containing that number of
bytes of the link layer header (if there are
more than 8 bytes, only the first 8 are
present);
a 2-byte field containing an Ethernet proto-
col type, in network byte order, or contain-
ing 1 for Novell 802.3 frames without an
802.2 LLC header or 4 for frames beginning
with an 802.2 LLC header.
and DLT_LINUX_SLL is the link-layer type for the "any" device.
Those 16 bytes are the header in front of the packet for a DLT_LINUX_SLL
capture. They are *NOT* an Ethernet header plus an extra 2-byte field,
so there's no "additional 2-byte field", there are several completely
different fields.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
