[sorry for the broken threading, I was not previously subscribed.]
On Thu, Feb 9, 2012 at 6:36 AM, Guy Harris <g...@alum.mit.edu> wrote:
> On Feb 8, 2012, at 3:26 AM, mike wakerly wrote:
>> Hosts need to record frame directionality in addition to
>> raw frame data. As an example, a psuedo-header prepended to
>> individual LLCP frames recorded in this format might look like this:
>>
>> struct llcp_phdr {
>> guint16 adapter; /* Adapter number, typically 0. */
>> guint16 flags; /* Direction flag (TX/RX) and future use. */
>> };
>>
>> Can you allocate a new DLT_ for this?
>
> Yes, once there's a firm final specification for what the
> pseudo-header will look like for all frames. (If
> there's more than one type of pseudo-header, there will have to be
> more than one link-layer header type
> value allocated, one for each pseudo-header type.)
No problem. Let's go with more condensed version of my example:
struct llcp_phdr {
guint8 adapter; /* Adapter number, typically 0. */
guint8 flags; /* Direction flag (TX/RX) and future use. */
};
The least significant bit of `flags` indicates packet direction (1 =
TX, 0 = RX); all other bits are undefined.
Here's a tcpdump-docs change on github (lmk and I'll turn it into a
pull request):
https://github.com/mik3y/tcpdump-htdocs/commit/74a72c24ab67fef976f09ce0f6543830fc5f0199
> Presumably what follows the pseudo-header will be an LLCP PDU of the
> form described in section 4.1 "LLC PDU
> Format" of the LLCP specification, i.e. a byte containing the DSAP and
> upper two bits of the PTYPE,
> followed by a byte containing the lower two bits of the PTYPE and the
> SSAP, followed by the sequence byte if
> the frame has sequence numbers, followed by the bytes of payload.
Yes, that's precisely it!
thanks!
mike
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
