--- Begin Message ---
On Tue, 2022-05-10 at 07:28 +0200, Tomasz Moń wrote:
> On Mon, May 9, 2022 at 10:17 PM Guy Harris <ghar...@sonic.net> wrote:
> > On May 9, 2022, at 12:31 PM, Tomasz Moń <deso...@gmail.com> wrote:
> > > It is important that the analysis engine know whether the packets
> > > were
> > > full or low-speed as there are slightly different rules. There is
> > > not
> > > so clear distinction between layers as USB does not really use
> > > ISO/OSI
> > > model.
> > >
> > > So I think it definitely makes sense to have separate link types
> > > for
> > > full-speed and low-speed.
> >
> > It makes sense to indicate whether packets are full-speed or low-
> > speed; nobody is arguing otherwise.
> >
> > The question is whether the right way to do that is to have
> > separate link types, so that you can't have a mix of full-speed and
> > low-speed packets in a single pcap capture or on a single interface
> > in a pcapng capture, or to have a single link-layer type with a
> > per-packet full-speed/low-speed indicator.
>
> I think the separate link types are the way to go.
>
> The full to low speed transition is not technically a packet, but
> rather a "Preamble". While the transceivers, e.g. the one used in
> OpenVizsla, have special mode to send that preamble together with
> low-speed packet, they do not have a mode to capture low-speed
> transactions. The handling logic has to be bundled in specialized hub
> chip (and only there, the non-hub full speed devices will happily
> discard what they see as garbage).
It should be noted that when (and if) low-speed traffic is received on
full-speed device differential pair (D+/D-), it is never intended for
the full-speed device and the full-speed device never acts upon it
(full-speed hub simply forwards low-speed traffic, non-hub devices
simply ignore it).
When user does full-speed only capture using hardware sniffer, the user
intends to see full-speed packets. If the resulting capture includes
PRE token, it is clear that there was some low-speed traffic. And it is
clear that the low-speed traffic was not in any way related to any
full-speed function.
When low-speed capture is performed, it has to be performed at the leaf
(in graph-theory sense) connection. Full-speed traffic never make it to
the low-speed cables, so the capture will contain only low-speed
packets.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
