On Mar 15, 2007, at 8:06 PM, Jeff Morriss wrote:
I suppose you'll need heuristics like those described in the (long)
comments in "wiretap/libpcap.c".
Or like the ones in epan/dissectors/packet-null.c.
Now, if only the fine folks at Cisco had seen some other comments in
that file, such as
/*
* Either LBL NRG wasn't an adequate central registry (e.g., because of
* the slow rate of releases from them), or nobody bothered using them
* as a central registry, as many different groups have patched libpcap
* (and BPF, on the BSDs) to add new encapsulation types, and have
ended
* up using the same DLT_ values for different encapsulation types.
*
* For those numerical encapsulation type values that everybody uses
for
* the same encapsulation type (which inclues those that some platforms
* specify different DLT_ names for but don't appear to use), we map
* those values to the appropriate Wiretap values.
*
* For those numerical encapsulation type values that different libpcap
* variants use for different encapsulation types, we check what
* <pcap.h> defined to determine how to interpret them, so that we
* interpret them the way the libpcap with which we're building
* Wireshark/Wiretap interprets them (which, if it doesn't support
* them at all, means we don't support them either - any capture files
* using them are foreign, and we don't hazard a guess as to which
* platform they came from; we could, I guess, choose the most likely
* platform).
*
* Note: if you need a new encapsulation type for libpcap files, do
* *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
* add a new encapsulation type by changing an existing entry;
* leave the existing entries alone.
*
* Instead, send mail to tcpdump-workers@xxxxxxxxxxx, asking for a new
* DLT_ value, and specifying the purpose of the new value. When you
* get the new DLT_ value, use that numerical value in the "dlt_value"
* field of "pcap_to_wtap_map[]".
*/
or
/*
* To repeat:
*
* If you need a new encapsulation type for libpcap files, do
* *N*O*T* use *ANY* of the values listed here! I.e., do *NOT*
* add a new encapsulation type by changing an existing entry;
* leave the existing entries alone.
*
* Instead, send mail to tcpdump-workers@xxxxxxxxxxx, asking
for
* a new DLT_ value, and specifying the purpose of the new
value.
* When you get the new DLT_ value, use that numerical value in
* the "dlt_value" field of "pcap_to_wtap_map[]".
*/
or, in the bpf.h that comes with libpcap:
/*
* Data-link level type codes.
*
* Do *NOT* add new values to this list without asking
* "tcpdump-workers@xxxxxxxxxxx" for a value. Otherwise, you run the
* risk of using a value that's already being used for some other
purpose,
* and of having tools that read libpcap-format captures not being able
* to handle captures with your new DLT_ value, with no hope that they
* will ever be changed to do so (as that would destroy their ability
* to read captures using that value for that other purpose).
*/
