Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] DLT assignment request

From: Stephen Donnelly <stephen@xxxxxxxxxx>
Date: Thu, 26 Jul 2007 08:57:45 +1200
I have sent this to the tcpdump-workers list but there is no response
yet so I will copy it here as it impacts Wireshark also.

Libpcap supports live capture from Endace DAG cards from wide variety of
network link types. For example a capture natively using the Endace ERF
TYPE_HDLC_POS type can select DLT_CHDLC, DLT_PPP_SERIAL, DLT_FRELAY,
DLT_MTP2, or DLT_MTP2_WITH_PHDR depending on the nature of the actual
link.

Florent Drouin from Alcatel-Lucent has been working on improving the ERF
support in Wireshark. As part of this work we would like to request a
new DLT (DLT_ERF) which would encapsulate a single ERF record of any ERF
type. DLT_ERF would be available in addition to the existing DLT
choices. Forthcoming patches for Wireshark will allow it to completely
decode this type, including all of the ERF pseudoheader information.

As the DLT_ERF could encapsulate a variety of link types we would not
support BPF filtering of DLT_ERF records, at least initially. Wireshark
'display filters' will be able to act on this pcap type and also when
reading directly from ERF format files.

The only alternative I can see would be assigning new DLTs on a 1:1
basis with ERF types, however there are already 19 ERF types defined and
I feel this would unnecessarily consume/pollute the libpcap DLT
namespace.

Comments, questions, objections welcome.

Regards,
Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd@xxxxxxxxxx
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------