Adam M. wrote:
This is probably a FAQ++, but I'm having trouble using Pcap for
savefiles that were captured from a loopback device.
There are 2 problems here:
1) In general, how is one supposed to determine what the layer-2
protocol is?
Call pcap_datalink() on the pcap_t. It'll indicate what the layer-2
*header* is - which might not directly correspond to the type of device
on which you're capturing; 802.11 device drivers and devices might
supply Ethernet headers (DLT_EN10MB) or 802.11 headers (DLT_IEEE802_11)
or 802.11 headers plus radio information (DLT_PRISM_HEADER,
DLT_IEEE802_11_RADIO, DLT_IEEE802_11_RADIO_AVS), and loopback devices
might supply traditional BSD-style loopback headers (DLT_NULL) or
OpenBSD-style loopback headers (DLT_LOOP) or Ethernet headers (DLT_EN10MB).
2) It seems that the loopback header format is different for Linux and
BSD/Mac. Linux seems to 'fake' the header with an Ethernet-style format
with zero'd out source/destination addresses, and only fill in the
layer-3 protocol number. BSD/Mac use a single 4-byte field to indicate
the layer-3 protocol number.
Exactly.
Furthermore, different BSDs have different headers; FreeBSD, NetBSD, and
OS X supply DLT_NULL headers, with the 4-byte field being in host byte
order, and newer versions of OpenBSD supply DLT_LOOP headers, with the
4-byte field being in *network* byte order.
In addition, with DLT_NULL and DLT_LOOP, IPv4 has the same layer-3
protocol number in all BSDs (AF_INET is 2 in all of them), but IPv6 has
different link-layer type values in different BSDs (AF_INET6 is 24 in
OpenBSD and NetBSD, 28 in FreeBSD, and 30 in OS X/Darwin).
How does one handle this when parsing packets read from Pcap?
By using pcap_datalink() to determine the link-layer header type.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
