On May 10, 2012, at 7:11 PM, Richard Sharpe wrote: > On Thu, May 10, 2012 at 7:05 PM, Guy Harris <[email protected]> wrote: > >> The messages from dumpcap to Wireshark on the sync pipe just say things such >> as "there >> are N more packets to read from the capture file" or "I've stopped writing >> to that capture >> file and am now writing to a capture file with this pathname"; they do not >> say "this capture >> has link-layer header type XXX", or even "this capture has a new interface >> with link-layer >> header type XXX" (given that "this capture has link-layer type XXX" is >> insufficient to fully >> support capturing on multiple interfaces, which 1.7.x supports). > > It would seem that we need to say "this packet has link-layer type > XXX" and the pcap-opts that is passed some of the way in supports > that, it seems.
The way that we say "this packet has link-layer type XXX" is that wtap_read() fills in a structure that includes the packet's WTAP_ENCAP value. How the WTAP_ENCAP value is determined is dependent on the file type - all packets in a pcap file have the WTAP_ENCAP value from the file header, packets from a pcap-ng file have an interface ID that refers to an already-seen IDB that gives the WTAP_ENCAP value for packets on that interface, etc. That's independent of the capture options. When capturing on an interface supported by libpcap/WinPcap, the option that's passed in for that interface has a DLT_ value to pass to pcap_set_datalink() after that interface is opened (for most interfaces, there's only one possible DLT_ value, and that's the one that's passed in); when capturing on a pipe, the link-layer header type cannot be set, as the packets being written to the pipe have whatever header they have. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
