GNOME Bugzilla – Bug 738206
pcapparse can't handle LINKTYPE_RAW
Last modified: 2014-10-09 16:47:24 UTC
Created attachment 288098 [details] [review]
Add support for LINKTYPE_RAW
I used tcpdump to capture some VPN traffic. pcapparse couldn't handle it because it doesn't understand LINKTYPE_RAW (101).
Strictly speaking, these numbers aren't DLT_*; they are LINKTYPE_* because libpcap translates from internal OS-specific DLT_ numbering to the portable LINKTYPE_ number space when writing files. The patch fixes that too.
Review of attachment 288098 [details] [review]:
@@ +380,3 @@
+ eth_type = 0x800; /* Ick. We're assuming Legacy IP but the code
+ below is stuck in the 20th century too. */
IPv6 support is being added in bug #735991
Ah, neat. Looks like my patch still applies and should still DTRT since the patch there doesn't actually use the eth_type to distinguish between IPv6 and Legacy IP; it uses the version field in the IP header. So as long as we set *either* 0x800 or 0x86dd we're fine.
Author: David Woodhouse <email@example.com>
Date: Thu Oct 9 04:11:00 2014 -0400
pcapparse: Add support for LINKTYPE_RAW
Also, strictly speaking, these numbers aren't DLT_*; they are LINKTYPE_* bec
libpcap translates from internal OS-specific DLT_ numbering to the portable
LINKTYPE_ number space when writing files.