Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Fun with Cisco DLT-value usage

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Fri, 16 Mar 2007 11:06:51 +0800


Joerg Mayer wrote:
Hello List,

I'm trying to enable some people to read some captures in libpcap format
directly without having to change the binary capture packet first. The
packet was captureed using Cisco's ERSPAN feature. In their infinite
wisdom, the engineers who implemented that feature chose a dlt-value of
0x71. What is the best way to handle that situation? Doesn someone else

Shoot the responsible engineer(s)?  ;-)

use pcap version 2.4 or could that be a way to find out whether it's
some Cisco specific stuff oder the regular WTAP_ENCAP_SLL?

I suppose you'll need heuristics like those described in the (long) comments in "wiretap/libpcap.c".