On Oct 23, 2014, at 11:29 AM, Michael Richardson <m...@sandelman.ca> wrote:
> On the other hand, we have:
> /*
> * Link-layer header type for the netlink protocol (nlmon devices).
> */
> #define LINKTYPE_NETLINK 253
>
> which suggests that I can capture all netlink messages (which is what I want
> to do) into a pcap file. I'm unclear if our tcpdump forces printer might
> know how to decode those netlink messages (not in an IP/TCP enclosure); I
> suspect not?
The Wireshark dissector for those messages indicates that they begin with a
LINKTYPE_LINUX_SLL-type header of the form:
2 unused bytes;
2 bytes of big-endian "hardware address type";
10 unused bytes;
2 bytes of big-endian netlink family values (NETLINK_ values from
<linux/netlink.h>;
followed by a sequence of netlink messages, each of which has:
a Netlink message header, as per section 2.3.2 "Netlink Message Header"
of RFC 3549 (the Wireshark dissector assumes the fields are little-endian - but
are they really *host*-endian?);
Netlink message data (presumably as per RFC 3549 and, for types not
described there, the Linux kernel).
I'll leave it to someone more clueful than me to indicate whether Netlink
messages resemble those of what print-forces.c prints or not.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
