On Sat, May 13, 2000 at 03:44:23AM -0500, Guy Harris wrote:
>
>
> On Fri, May 12, 2000 at 01:27:13PM -0500, Gilbert Ramirez wrote:
> > However, WinPcap doesn't support Token-ring. You need to persuade/help
> > the WinPcap folks to support it.
>
> You might first have get the LibPcap folks to support it. :-)
>
> The current tcpdump from the tcpdump.org CVS archive (unless somebody
> checked it in recently) doesn't appear to have anything to print Token
> Ring packets; it *might* be that libpcap is handling DLT_IEEE802 as
> Token Ring rather than as, say, IEEE 802.3 plus LLC, but I'm not certain
> of that.
Yes, that's what libpcap does. On Linux, libpcap needs a helping hand
with token-ring.. the author of the ibmtr driver for Linux has a patch
to libpcap that lets libpcap correctly detect a token-ring interface
as token-ring. It's unfortunate that the label "DLT_IEEE802" is used
as token-ring, since it really should be 802.5. I think if "802" as
referring to the whole suite of 802.x link types.
However, the token-ring support in libpcap is minimal. Libpcap's design
assumes that a link layer protocol has a fixed header length. Token-ring
does not. Libpcap assumes that token-ring headers have the minimum
size, which means you can correctly filter on higher-layer protocols
only if they don't involve token-ring source-routing, which gives the
minimum-sized TR header.
If you're running IP *with* token-ring source-routing, then the TR
header has more bytes and libpcap doesn't correctly compute the offset
for the IP header, so your filters don't work.
> I think there might be Token Ring patches for libpcap and tcpdump
> somewhere on the net, but they probably haven't yet been incorporated
> into the tcpdump.org tree.
I think the Linux-related ones have not been incorporated.
--gilbert
