On Thu, May 10, 2012 at 4:14 PM, Guy Harris <[email protected]> wrote: > > On May 10, 2012, at 2:06 PM, Jeff Morriss wrote: > >> Richard Sharpe wrote: >>> Hi folks, >>> >>> The problem with my changes to support pcap-ng through pipes seems to >>> be that I am not communicating linktype correctly. >>> >>> What is the secret? >> >> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture >> starts. > > Actually, *Wireshark* gets the linktype of the interface(s) as it reads the > output of dumpcap. > > The question is where *dumpcap* gets the linktype. From an interface, it > gets it from a > pcap_datalink() call once the interface is open, but that doesn't work on a > pipe. For a pipe, > cap_pipe_open_live() reads the pcap file header from the pipe and then uses > the link-layer header > type from the file header. > > However, if we're going to support capturing from a pipe to which a > pcap-ng-format data stream is > being written, there's no longer a linktype - there's a list of one *or more* > interfaces, not all of which > necessarily have the same link-layer header type. > > That might mean that dumpcap's capture-pipe-reading architecture would need > to change to (fully) > support pcap-ng; perhaps that might involve changing the message sequence > between dumpcap > and {Wire,T}shark so that dumpcap sends messages to its client saying "a new > interface has > arrived, here's an Interface Description Block for it" (with an IDB being > synthesized from the file > header if a pcap-format data stream is being read from the pipe).
OK, that give me the hint I was looking for ... -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
