On Aug 18, 2015, at 9:22 AM, Jim Young <[email protected]> wrote:
> Instead of supplying an ethernet header with the mac addresses of all zeros,
> would it make more sense to supply a NULL/Loopback encapsulation type to
> packets captured in the Npcap LoopBack Interface?
It looks as if the loopback interface supplies only IPv4 and IPv6 packets.
In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.
For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP
datagram. For DLT_NULL, the 4-byte header is in the byte order of the host on
which the capture is being done; for DLT_LOOP, it's in network byte order. The
value is 2 for IPv4 and, for IPv6:
24 for OpenBSD, NetBSD, and BSD/OS;
28 for FreeBSD;
30 for OS X and iOS;
10 for Linux;
26 for Solaris;
23 for Windows;
because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't
define AF_INET6, so everybody ran off and defined it differently.
For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet
looks at the version number in the IP header to determine whether it's IPv4 or
IPv6.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
