Peter Dons Tychsen wrote:
>
> Hey.
>
> Is there a type in PCAP which indicates that the link type is unknown ?
> If so, how does ethereal respond to this ?
Ethereal uses wiretap to read all files. So, the pcap handler for
wiretap would have to know about all of pcap's link types.
Wiretap does have a WTAP_ENCAP_UNKNOWN type. If Ethereal encounters
this,
the packet will be shown as a chunk of data, without being dissected.
> The problem is, that i have an undefined link on the router which can
> be of type IPv4, IPX or maybe a third type. I cannot set a definite
> type in the PCAP file (my output).
You're really getting straight IPv4 or IPX, with nothing else before
it? No WAN header?
Maybe you could try to figure out what the protocol is, either:
1. In your code that produces the pcap file. You'd use DLT_RAW
for IPv4, you'd create a DLT_IPX for IPX, and then
another DLT for your 3rd protocol. Be sure to register
any new DLT's with the folks at tcpdump.org
2. You could put the logic in wiretap, in the code that *reads*
pcap files. Again, you'd have to add WTAP_ENCAP_IPX
and possibly another type. Then you'd have to modify
Ethereal's ipx dissector to register itself with
the "wtap_encap" dissector table so that dissect_frame()
would correctly cause dissect_ipx() to be called.
3. Create a new DLT and WTAP_ENCAP type which means "look for
IPv4, IPX, or something else", Then create a new dissector
in Ethereal which tries to determine which protocol
it is.
You should be able to test for IPX by looking for FF:FF in the
first two bytes.
I don't know what your 3rd protocol is, so I can't tell you how
to differentiate it from IPv4.
>
> Can ethereal handle this ?
No.
--gilbert
