Hi Selçuk, if you're doing anything involving multiple link types and Wireshark/dumpcap, you'll want to check out the enhanced pcap-ng file format support in the latest SVN versions of Wireshark. So it seems, mergecap doesn't support merging multiple link-layer types in pcap-ng files yet, although as a workaround, you can concatenate the files (dumped with dumpcap -n) in order of date/time created, and receive a usable result.
Otherwise, if you ended up with a "cooked" capture file (as produced by capturing on the Linux "any" pseudo-device), you'll only get useful data from some of the packets. As with the pcap file format, I believe that the pcap_* APIs only let you work with one link-layer type at a time, although others are free to correct me on that, since I haven't worked with them directly. I hope that helps, Tyson. On Fri, May 29, 2009 at 1:23 PM, Selçuk Cevher <[email protected]> wrote: > Hi Everybody, > > First of all, I am not sure if this is the right place to ask this > question. > > How can I determine the protocol running on data link layer (i.e., > Ethernet, Wi-Fi 802.11, etc) while analyzing packets in a "merged" dumped > file with pcap format if the pcap file contains a mixture of packets with > various data link layer protocols ? > > libpcap has pcap_datalink(...) function allowing us to determine the data > link layer protocol for live capture -- it gets this information directly > from the actual network interface that is sniffed on. > > However, in the case of offline analysis, it seems pcap_datalink() will > not work since it is not possible to know what kind of interface those > packets came from. > > Any idea ? > > Thanks. > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe > -- Fight Internet Censorship! http://www.eff.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
