On Sun, Feb 18, 2001 at 01:47:27AM -0800, Faisal Zakaria Siddiqi wrote:
> Thanks Guy,
>
> I only need it for linux 2.2.4 and was trying to trace the code to
> find where this was printed. So my idea was that one section of
> the printing code is this hierarchy :
>
> ether_if_print calls ether_encap_print
> ether_encap_print calls ip_print
> ip_print calls tcp_print.
>
> so where is the call to sll_print. Is it also a similar hierarchy?
Yes.
If you look at the tcpdump 3.6[.x] code, "sll_if_print()" calls
"sll_print()" (which is what prints the ">" and "<" indication), and
then calls "ether_encap_print()" for Ethernet (as opposed to 802.2 or
802.3 packets), leading to "ip_print()", "tcp_print()", etc.
> My problem would be solved if I could use the sll_pkttype
> field for knowing the directionality of the packet. Can I access
> that in the call hirarchy outlined above ?
Not by that name. "sll_pkttype" is a Linux-specific name, and neither
libpcap nor tcpdump are Linux-specific programs; libpcap hides the
details of the platform on which it's running inside the "pcap-XXX.c"
files, and code above that doesn't see the low-level details of the
underlying OS's packet capture mechanism.
Instead, libpcap puts, if you capture on the "any" device (or on a
Linux device whose ARPHRD_ type doesn't have a corresponding DLT_ type),
a fake link-layer header on the packets, constructed from fields in the
"sockaddr_ll" header. That header is parsed by tcpdump - even when not
running on Linux.
If a capture is a DLT_LINUX_SLL capture, the link layer header contains,
in the first 2 bytes, value derived from the "sll_pkttype"; the values
are defined in the "sll.h" header file in the libpcap and tcpdump source
trees.
That field is available *ONLY* on DLT_LINUX_SLL captures; it is *NOT*
available for, say, Ethernet captures, and if you capture on, say,
"eth0" you'll get an Ethernet capture, not a DLT_LINUX_SLL capture.
Capture on the "any" device if you want a DLT_LINUX_SLL capture.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
