Wireshark-users: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode

From: Brad Guillory <brad@xxxxxxxxx>
Date: Fri, 25 Sep 2009 14:32:23 -0600

On Sep 25, 2009, at 2:19 PM, Guy Harris wrote:

I guess we could replace that code with

#if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
	{ 13,		WTAP_ENCAP_ATM_RFC1483 },
#else
	{ 13,		WTAP_ENCAP_ENC },
#endif

so that it still as before for people trying to read BSD/OS RFC 1483-
encapsulated ATM files on BSD/OS and treats 13 as meaning "OpenBSD
IPsec encapsulation" everywhere else - it's not as if it handled BSD/
OS SLIP on any platforms, so it's not as if we break that.

This is the same solution that I had worked out myself and I think it is the best one and will just do the right thing for nearly every case. And it will not change the behavior of anything that "worked" before.

In the pcap/bpf.h's that I have looked at I see something like this:
/*
 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
 * than OpenBSD.
 */
#ifdef __OpenBSD__
#define DLT_ENC         13
#else
#define DLT_ENC         109
#endif

So unless we are on an OpenBSD machine we will never have DLT_ENC == 13. I also don't see code that would allow for DLT_ATM_RFC1483 to be set to 13. I understand that there are lots of pcap/bpf.h's out there but the change you propose seems like a reasonable one for me.

I am recompiling now to make sure that it will fix my problem; but I can't see why it wouldn't.

Thank you for your help,

BMG