Wireshark · Ethereal-dev: Re: [Ethereal-dev] Need an extra bit in the packet-header struct.

[Ben Greear <greearb@xxxxxxxxxxxxxxx>]

Guy Harris wrote:
> On Mon, Jun 28, 2004 at 11:44:26PM -0700, Ben Greear wrote:
>
> > I have need for an extra bit in the header for each packet.
> > This is to tell me whether the packet was received or transmitted
> > on this interface.
>
>
> To which "packet header structure" are you referring?

I wasn't aware I had more than once choice.  I'm
talking about this one from pcap.h:

struct pcap_pkthdr {
	struct timeval ts;	/* timestamp */
	bpf_u_int32 caplen;	/* length of portion present */
	bpf_u_int32 len;	/* length this packet (off wire) */
};


> > Since the length fields are 32-bit, and there is no 4GB packet to be
> > had, I was thinking I could just use the high-bit there.
>
>
> If it's "wtap_pkthdr", you might as well just add an entire field -
> especially given that "received or transmitted" don't cover all the
> possibilities; there's also
>
> 	unknown (if you really don't know whether the packet was
> 	received or transmitted)
>
> 	received {unicast,broadcast,multicast} (some packet capture
> 	mechanisms supply this information; current libpcap doesn't pass
> 	that through, but it might do so in the future)
>
> along with "transmitted" and "received but that's all I know about it".
>
> If it's "frame_data", there's already a flag field, although, again, the
> direction indicator should be more than one bit.

A quick google leads me to believe these are specific to ethereal.  I'll
grab the source and poke around.

Thanks,
Ben

--
Ben Greear <greearb@xxxxxxxxxxxxxxx>
Candela Technologies Inc  http://www.candelatech.com