Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] PCAP undefined link type

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Peter Dons Tychsen" <donpedro@xxxxxx>
Date: Thu, 22 Mar 2001 01:01:33 +0100
Here is the problem.

I have created the software which makes sniffing possible on the router.

The software MUST and CAN trace from different layers of the stack.

Here is an example: V11 cable, running HDLC encapsulating PPP.
On the link the PPP encapsulates IP and IPX traffic when IP and IPX routing
over the link is enabled.

If sniffing on the HDLC layer, no problem as other router software tell me
it is HDLC when my software gets the packet. I set output as HDLC in PCAP
output.
If sniffing on the PPP layer, no problem as other router software tell me it
is PPP when my software gets the packet. I set output as PPP in PCAP output.

---> BUT! If sniffing on the link payload..... i only get an indication that
it is "Multi Protocol Link", which could be any kind of traffic capable of
tunneling inside PPP or different link type (Ethernet (bridging ethernet),
IPX, IP and some other stuff)).

If there was a type called PCAP_UNKOWN_LINK_PAYLOAD or something like this,
then ethereal could try and guess the contents of these packets. But maybe
there is not. Maybe it would be smarter if i made a mini analyzer, to
determine the type before i save my stuff.

/Peter



----- Original Message -----
From: "Guy Harris" <guy@xxxxxxxxxx>
To: <donpedro@xxxxxx>
Cc: <ethereal-dev@xxxxxxxxxxxx>
Sent: Wednesday, March 21, 2001 9:15 PM
Subject: Re: [Ethereal-dev] PCAP undefined link type


> (Same reply as my previous one, but replying to the version of your
> message that had the correct subject line.)
>
> On Wed, Mar 21, 2001 at 02:07:19PM +0100, Peter Dons Tychsen wrote:
> > Is there a type in PCAP which indicates that the link type is unknown ?
>
> No.  You *HAVE* to have *SOME* kind of link-layer header, even if it's
> "no link-layer header" (i.e., DLT_RAW, which means "IP only", no IPX or
> anything else).
>
> > The problem is, that i have an undefined link on the router which can
> > be of type IPv4, IPX or maybe a third type. I cannot set a definite
> > type in the PCAP file (my output).
>
> Neither IPX nor IPv4 are link-layer protocols.
>
> You haven't specified how you're going to get these packets in the first
> place.  Is there some way the router can be told to provide raw packet
> data?  If so, is that the mechanism you're using to get the packet data?
>
> If so, what data does the router provide?  Just the payload above the
> link-layer, with no indication of what type of packet it is?  (If so,
> the people responsible for the router's software should be told that
> this is not particularly useful....)  Or is *some* kind of indication of
> the link layer provided.
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube