On May 29, 2009, at 5:23 AM, Selçuk Cevher wrote: > How can I determine the protocol running on data link layer (i.e., > Ethernet, Wi-Fi 802.11, etc) while analyzing packets in a "merged" > dumped file with pcap format if the pcap file contains a mixture of > packets with various data link layer protocols ?
The only way a pcap file can validly contain a mixture of packets with various link layer protocols is if the *single* link-layer header type in the file is one of the few that support a per-packet link-layer type (such as DLT_ERF); the ones normally used when capturing with Wireshark don't support that, so you can't, for example, produce a valid pcap file by merging an Ethernet and an 802.11 capture (unless the 802.11 capture has fake Ethernet headers rather than 802.11 or 802.11+radio headers). > libpcap has pcap_datalink(...) function allowing us to determine the > data link layer protocol for live capture -- it gets this > information directly from the actual network interface that is > sniffed on. > > However, in the case of offline analysis, it seems pcap_datalink() > will not work since it is not possible to know what kind of > interface those packets came from. It is, because the header of a pcap capture file includes a link layer header type value. It includes only one, however. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
