Wireshark · Ethereal-dev: Re: [ethereal-dev] grabbing ppp packets

[Guy Harris <gharris@xxxxxxxxxxxx>]

> "pcap-linux.c", at least in the version of "libpcap" I see, doesn't even
> support *PPP* interfaces, at least not as DLT_PPP!  No ARPHDR_ type gets
> turned into DLT_PPP *or* DLT_SLIP.

ARPHRD_PPP gets turned into DLT_RAW...

> What happens if you put "sl0" in the "Interface" combo box and try to
> start a capture on it?  That'll indicate whether "libpcap" can open
> "sl0" - if it can't, it won't show up in the list of interfaces.

...as do ARPHRD_SLIP, ARPHRD_CSLIP, ARPHRD_SLIP6, and ARPHRD_CSLIP6. 
DLT_RAW means "you get no link-layer header, just the IP header", so I
guess whoever did "pcap-linux.c" discovered that, in fact, SLIP and PPP
in Linux don't give a network tap any link-layer headers, sigh.

I'm still curious what happens if you try to make Ethereal capture on
"sl0"; if it gives you an error, that'd explain why "sl0" didn't show up
in the interface list (if Ethereal can't open the interface, it doesn't
list it, so as not to give false hope, e.g. on Solaris the interface
list includes the loopback device but you can't open that device with
DLPI, but we don't want to forcibly filter loopback devices out because
you *can* snoop on the loopback device on, at least, FreeBSD and Linux
2.0[.x], and I actually found it useful to do so when debugging
something), and the error might indicate *why* it couldn't open it.