On May 10, 2012, at 2:06 PM, Jeff Morriss wrote:
> Richard Sharpe wrote:
>> Hi folks,
>>
>> The problem with my changes to support pcap-ng through pipes seems to
>> be that I am not communicating linktype correctly.
>>
>> What is the secret?
>
> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture
> starts.
Actually, *Wireshark* gets the linktype of the interface(s) as it reads the
output of dumpcap.
The question is where *dumpcap* gets the linktype. From an interface, it gets
it from a pcap_datalink() call once the interface is open, but that doesn't
work on a pipe. For a pipe, cap_pipe_open_live() reads the pcap file header
from the pipe and then uses the link-layer header type from the file header.
However, if we're going to support capturing from a pipe to which a
pcap-ng-format data stream is being written, there's no longer a linktype -
there's a list of one *or more* interfaces, not all of which necessarily have
the same link-layer header type.
That might mean that dumpcap's capture-pipe-reading architecture would need to
change to (fully) support pcap-ng; perhaps that might involve changing the
message sequence between dumpcap and {Wire,T}shark so that dumpcap sends
messages to its client saying "a new interface has arrived, here's an Interface
Description Block for it" (with an IDB being synthesized from the file header
if a pcap-format data stream is being read from the pipe).
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
