Wireshark-dev: Re: [Wireshark-dev] Fun with Cisco DLT-value usage
From: Andrej Mikus <wireshark-dev@xxxxxxxx>
Date: Wed, 21 Mar 2007 00:10:50 +0100
I believe the issue could be reported to Cisco TAC requesting correction, instead of hacking heuristics. At the other hand, did they announce somewhere that they are using libpcap format? I was googling a bit and found indications how to convert the file http://www.gossamer-threads.com/lists/engine?post=56109;list=cisco In one post is mentioned also that upcoming SW release is expected to create pcap files. Andrej On Thu, 15.Mar.07 20:30:01 -0700, Guy Harris wrote: > > On Mar 15, 2007, at 8:06 PM, Jeff Morriss wrote: > > > I suppose you'll need heuristics like those described in the (long) > > comments in "wiretap/libpcap.c". > > Or like the ones in epan/dissectors/packet-null.c. > > Now, if only the fine folks at Cisco had seen some other comments in > that file, such as > > /* > * Either LBL NRG wasn't an adequate central registry (e.g., because of > * the slow rate of releases from them), or nobody bothered using them > * as a central registry, as many different groups have patched libpcap > * (and BPF, on the BSDs) to add new encapsulation types, and have > ended > * up using the same DLT_ values for different encapsulation types. > * > * For those numerical encapsulation type values that everybody uses > for > * the same encapsulation type (which inclues those that some platforms > * specify different DLT_ names for but don't appear to use), we map > * those values to the appropriate Wiretap values. > * > * For those numerical encapsulation type values that different libpcap > * variants use for different encapsulation types, we check what > * <pcap.h> defined to determine how to interpret them, so that we > * interpret them the way the libpcap with which we're building > * Wireshark/Wiretap interprets them (which, if it doesn't support > * them at all, means we don't support them either - any capture files > * using them are foreign, and we don't hazard a guess as to which > * platform they came from; we could, I guess, choose the most likely > * platform). > * > * Note: if you need a new encapsulation type for libpcap files, do > * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT* > * add a new encapsulation type by changing an existing entry; > * leave the existing entries alone. > * > * Instead, send mail to tcpdump-workers@xxxxxxxxxxx, asking for a new > * DLT_ value, and specifying the purpose of the new value. When you > * get the new DLT_ value, use that numerical value in the "dlt_value" > * field of "pcap_to_wtap_map[]". > */ > > or > > /* > * To repeat: > * > * If you need a new encapsulation type for libpcap files, do > * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT* > * add a new encapsulation type by changing an existing entry; > * leave the existing entries alone. > * > * Instead, send mail to tcpdump-workers@xxxxxxxxxxx, asking > for > * a new DLT_ value, and specifying the purpose of the new > value. > * When you get the new DLT_ value, use that numerical value in > * the "dlt_value" field of "pcap_to_wtap_map[]". > */ > > or, in the bpf.h that comes with libpcap: > > /* > * Data-link level type codes. > * > * Do *NOT* add new values to this list without asking > * "tcpdump-workers@xxxxxxxxxxx" for a value. Otherwise, you run the > * risk of using a value that's already being used for some other > purpose, > * and of having tools that read libpcap-format captures not being able > * to handle captures with your new DLT_ value, with no hope that they > * will ever be changed to do so (as that would destroy their ability > * to read captures using that value for that other purpose). > */ > > _______________________________________________ > Wireshark-dev mailing list > Wireshark-dev@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-dev
- References:
- [Wireshark-dev] Fun with Cisco DLT-value usage
- From: Joerg Mayer
- Re: [Wireshark-dev] Fun with Cisco DLT-value usage
- From: Jeff Morriss
- Re: [Wireshark-dev] Fun with Cisco DLT-value usage
- From: Guy Harris
- [Wireshark-dev] Fun with Cisco DLT-value usage
- Prev by Date: Re: [Wireshark-dev] Bug 491 : time delta behaviour
- Next by Date: Re: [Wireshark-dev] Prevent compiler warnings by using "stop on warnings"/"treat warnings as errors" compiler option?
- Previous by thread: Re: [Wireshark-dev] Fun with Cisco DLT-value usage
- Next by thread: [Wireshark-dev] [PATCH 1/2] wiretap: New MPEG file format
- Index(es):
- Get Wireshark
- Download
- Code of Conduct