On May 10, 2012, at 6:49 PM, Richard Sharpe wrote: > If I forcibly set the linktype to 1 when reading the first header (the > SHB) during pcap_live_open, then things work as I expect.
1 is LINKTYPE_ETHERNET. Does it still work if you forcibly set the linktype to 1 and send down the pipe a capture where the first interface *isn't* supplying Ethernet headers? (And, as per my mail, what happens if you send down the pipe a capture where the first interface supplies 802.11 headers and the second interface supplies USB headers, for example? In that case, there *is* no linktype, there's more than one linktype.) > Now to figure out the communication between dumpcap and Wireshark et al. Note that, as per my mail, dumpcap communicates the link-layer type in the pcap file header's "linktype" field if it's writing a pcap file and communicates the link-layer types (plural!) in the pcap-ng file's IDBs if it's writing a pcap-ng file; Wireshark just incrementally reads the capture file. The messages from dumpcap to Wireshark on the sync pipe just say things such as "there are N more packets to read from the capture file" or "I've stopped writing to that capture file and am now writing to a capture file with this pathname"; they do not say "this capture has link-layer header type XXX", or even "this capture has a new interface with link-layer header type XXX" (given that "this capture has link-layer type XXX" is insufficient to fully support capturing on multiple interfaces, which 1.7.x supports). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
