This is probably a FAQ++, but I'm having trouble using Pcap for savefiles that were captured from a loopback device.
There are 2 problems here: 1) In general, how is one supposed to determine what the layer-2 protocol is? I've traditionally always assumed Ethernet, because I don't know how to determine it automatically. 2) It seems that the loopback header format is different for Linux and BSD/Mac. Linux seems to 'fake' the header with an Ethernet-style format with zero'd out source/destination addresses, and only fill in the layer-3 protocol number. BSD/Mac use a single 4-byte field to indicate the layer-3 protocol number. How does one handle this when parsing packets read from Pcap? Thanks, Adam - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
