On Thu, May 10, 2012 at 6:18 PM, Richard Sharpe <[email protected]> wrote: > On Thu, May 10, 2012 at 4:14 PM, Guy Harris <[email protected]> wrote: >> >> On May 10, 2012, at 2:06 PM, Jeff Morriss wrote: >> >>> Richard Sharpe wrote: >>>> Hi folks, >>>> >>>> The problem with my changes to support pcap-ng through pipes seems to >>>> be that I am not communicating linktype correctly. >>>> >>>> What is the secret? >>> >>> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture >>> starts. >> >> Actually, *Wireshark* gets the linktype of the interface(s) as it reads the >> output of dumpcap. >> >> The question is where *dumpcap* gets the linktype. From an interface, it >> gets it from a >> pcap_datalink() call once the interface is open, but that doesn't work on a >> pipe. For a pipe, >> cap_pipe_open_live() reads the pcap file header from the pipe and then uses >> the link-layer header >> type from the file header. >> >> However, if we're going to support capturing from a pipe to which a >> pcap-ng-format data stream is >> being written, there's no longer a linktype - there's a list of one *or >> more* interfaces, not all of which >> necessarily have the same link-layer header type. >> >> That might mean that dumpcap's capture-pipe-reading architecture would need >> to change to (fully) >> support pcap-ng; perhaps that might involve changing the message sequence >> between dumpcap >> and {Wire,T}shark so that dumpcap sends messages to its client saying "a new >> interface has >> arrived, here's an Interface Description Block for it" (with an IDB being >> synthesized from the file >> header if a pcap-format data stream is being read from the pipe). > > OK, that give me the hint I was looking for ...
If I forcibly set the linktype to 1 when reading the first header (the SHB) during pcap_live_open, then things work as I expect. Now to figure out the communication between dumpcap and Wireshark et al. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
