On Fri, Feb 23, 2001 at 02:26:46PM -0800, Jason R Thorpe wrote:
> I'm working on a packet classification package which uses the BPF VM
> as the core. One of the important features of the package is that
> a classification point can be anywhere... with link-level headers or
> without.
>
> I'm using libpcap to compile the rules for the classification engine,
> and found that a new DLT was needed in order to express all of the
> possible filtering points. Basically, I needed a generalization of
> DLT_RAW (which means "raw IPv4").
>
> What I came up with is called DLT_RAWAF(family). So, DLT_RAW,
> strictly interpreted[*], would be DLT_RAWAF(AF_INET).
So would it ever be the case that a packet capture would be a
DLT_RAWAF(AF_xxx) capture?
If so, then we'd want to arrange to have platform-independent versions
of the DLT_RAWAF() values, to put in the capture file header, so that,
for example, a DLT_RAWAF(AF_INET6) capture would have the same
link-layer type in the header, regardless of which particular OS the
capture was done on.
If not, then the patch looks pretty much OK. The only questions I have
are:
1) what about a DLT_RAWAF() value with an AF_ type other than
AF_UNSPEC, AF_INET, or AF_INET6? Should "gen_linktype()"
either print an error or just do "return gen_false()" in that
case?
2) should, for AF_UNSPEC, code be generated to check the IP
header's version number for 4 or 6, depending on whether
"proto" is ETHERTYPE_IP or ETHERTYPE_IPV6?
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
