Hi Guy,
Guy Harris wrote:
On Jul 31, 2007, at 7:43 PM, Phil Mulholland wrote:
I'd like to request a new DLT value for our internal header format.
We have a patched version of libpcap that can capture packets from our
custom board. The
board can optionally attach it's own header to the packets, before the
Ethernet header. We
call it an RAIF1 header so something like DLT_RAIF1 would be good.
I can make more information available, but currently it's only really
useful to our
customers that have a board.
I note that tcpdump, Snort, Wireshark, and ntop are mentioned on your
company's website; will patches for any of those be distributed to
handle DLT_RAIF1?
Generally it's not needed to use DLT_RAIF1, as we also support EN10MB and RAW. We have a
quick and dirty patch for tcpdump, but not yet for the other applications. We are happy to
release patches (including libpcap) back into the main source code tree... but I would
like to clean up the source first.
In addition, we might want to know what information is provided in the
header, to guide future work on the pcap-NG file format and on tcpdump,
Wireshark, etc..
Sure. The header is used to multiplex PCI frames and Ethernet frames onto a custom
processor interface. Our libpcap patch captures from this interface. It looks like:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ver | | | Application ID TAG |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Src Addr | Dest Addr | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Frame Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ver = 1
Src Addr/Dest Address - Onboard routing information
Application ID Tag/Sequence Number - Optional, for application usage
Frame length - In bytes, length of data following the header.
Regards,
Phil
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
