On Thu, Mar 01, 2001 at 11:16:57PM -0800, Jason R Thorpe wrote:
> On Thu, Mar 01, 2001 at 10:07:21PM -0800, Guy Harris wrote:
>
> > > What I came up with is called DLT_RAWAF(family). So, DLT_RAW,
> > > strictly interpreted[*], would be DLT_RAWAF(AF_INET).
> >
> > So would it ever be the case that a packet capture would be a
> > DLT_RAWAF(AF_xxx) capture?
>
> DLT_RAWAF() is named as it is to indicate that AF_xxx should be used
> with it. But *any* AF_xxx constant may be used. AF_INET, AF_INET6,
> AF_DECNET, whatever.
>
> > If so, then we'd want to arrange to have platform-independent versions
> > of the DLT_RAWAF() values, to put in the capture file header, so that,
> > for example, a DLT_RAWAF(AF_INET6) capture would have the same
> > link-layer type in the header, regardless of which particular OS the
> > capture was done on.
>
> OIC -- for pcap_file_header's linktype field -- I forgot all about that,
> really.
>
> So, what happens for pcap_file_header in the DLT_NULL case? In that case,
> the packet has the AF_xxx constant prepended -- is there any attempt to
> translate those into a platform-independent format?
No.
Tcpdump currently doesn't try to cope with, for example, AF_INET6 not
being the same on all platforms (the FreeBSD value is different from the
NetBSD/OpenBSD value; I don't know what BSD/OS does); Ethereal copes
with it by treating either 24 (NetBSD/OpenBSD) or 28 (FreeBSD) as
meaning IPv6.
Tcpdump could, and probably should, do the same, although it should
probably do it the way Ethereal does, by defining the AF_xxx values
itself rather than by using the ones on the native OS. (Only the BSDs
use DLT_NULL, as far as I know.)
If only a limited number of AF_ values will ever appear in a capture
file, the same trick could be used - i.e., if 24 and 28 will always be
IPv6 in capture file headers on all platforms, treat either one as
meaning IPv6.
> > 2) should, for AF_UNSPEC, code be generated to check the IP
> > header's version number for 4 or 6, depending on whether
> > "proto" is ETHERTYPE_IP or ETHERTYPE_IPV6?
>
> Um, I guess we could do that, but it seems inconsistent with other code
> in gencode.c -- it seems that there's an assumption that ETHERTYPE_xx
> does the right thing already, and that's how the old DLT_RAW worked, too.
> (AF_UNSPEC is really only there to emulate that DLT's IPv6 behavior).
Arguably, the old DLT_RAW code is incorrect, for link-layer types that
would run both IPv4 and IPv6.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
