On Thu, May 10, 2012 at 7:05 PM, Guy Harris <[email protected]> wrote: > > On May 10, 2012, at 6:49 PM, Richard Sharpe wrote: > >> If I forcibly set the linktype to 1 when reading the first header (the >> SHB) during pcap_live_open, then things work as I expect. > > 1 is LINKTYPE_ETHERNET. Does it still work if you forcibly set the linktype > to 1 and > send down the pipe a capture where the first interface *isn't* supplying > Ethernet headers?
I would not expect it to. My quick fix was simply to determine if I am getting most things correct. > (And, as per my mail, what happens if you send down the pipe a capture where > the first > interface supplies 802.11 headers and the second interface supplies USB > headers, for > example? In that case, there *is* no linktype, there's more than one > linktype.) I would expect massive fail. However, I currently only have a pcapng file with one IDB in it. >> Now to figure out the communication between dumpcap and Wireshark et al. > > The messages from dumpcap to Wireshark on the sync pipe just say things such > as "there > are N more packets to read from the capture file" or "I've stopped writing to > that capture > file and am now writing to a capture file with this pathname"; they do not > say "this capture > has link-layer header type XXX", or even "this capture has a new interface > with link-layer > header type XXX" (given that "this capture has link-layer type XXX" is > insufficient to fully > support capturing on multiple interfaces, which 1.7.x supports). It would seem that we need to say "this packet has link-layer type XXX" and the pcap-opts that is passed some of the way in supports that, it seems. -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
