Wireshark · Ethereal-dev: Re: [Ethereal-dev] What link-type value do I need to feed for ethrreal to display the IP, ICMP and T

[Guy Harris <gharris@xxxxxxxxx>]

On Thu, Mar 04, 2004 at 04:49:18PM +0530, Viren wrote:
> I am trying to "create" a binary tcpdump file compatible with the
> LibPCap file format.  I want to display the IP header, ICMP header and
> the TCP/UDP header of every incoming-outgoing packet. 
> 
> For the above, I am using the link-type (the last 4 bytes of the
> tcpdump file-header) to be 101 (which I got from the savefile.c of
> WinPCap).  That number, is really for Raw IP and not the one I want.

Why not?

> 1.  What value should I write in my binary file for the link-type so
> that etherreal would display me the IP header, ICMP, TCP/UDP headers ?

If you have a link-layer header, put in the binary value for the
link-layer type for that type of header (e.g., 1 for Ethernet).

If you *don't* have a link-layer header, just an IP header and IP
payload, put in 101 as the link-layer type.

> 2.  Is it that I will have to separate the incoming packet and break
> it into IP, TCP/UDP and then create separate record headers from them
> and dump the stuff in the tcpdump file as separate records?

No.

> Or simply dumping the entire packet (with perhaps a proper link-type
> being set) should do the trick for me?

Yes.