ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] How to make libpcap/wiretap understand proprietry/standard l

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 19 Sep 2008 01:05:39 -0700

On Sep 18, 2008, at 10:10 PM, Gaurav1 Jain wrote:
Gaurav: yes latter one is the case. If I try to capture the interface using
Capture à Options à Link Header Type is displayed as Linux Cooked Mode Capture.
Presumably by "capture the interface" you mean capturing on the Linux network interface.
If so, that means the Sangoma driver is returning either an unknown ARPHRD_ type or one of ARPHRD_ATM or ARPHRD_PPP as its ARPHRD_ type. 


When traces are displayed protocol decoded is found to be IP.
It's capturing in cooked mode, with a PF_SOCKET/SOCK_DGRAM socket, so that the link-layer header is stripped off, and a "cooked" link-layer type supplied (IPv4, if the protocol is IP).
Otherwise when PCAP file is first captured using WanDriver commands (available with WanPipe) 

...which means the capture isn't going through libpcap.
and then open using wireshark TZSP is the protocol being displayed on GUI.
...which means that the WanDriver software is writing a pcap-format file with a link-layer type of DLT_TZSP.
The only link-layer types supported in DLT_TZSP in Wireshark are Ethernet and various forms of 802.11, so presumably it's providing a fake Ethernet header. 


So what does it mean when it "provides [an] IP interface"?  Does that
mean that the card supplies IP packets, with link-layer headers
stripped off,


Gaurav: yes this is the case.
If that's the case, then you won't ever be able to see the HDLC or proprietary link-layer headers, as the card doesn't give them to the host, so they're irrelevant. 


There is no "ICMP/UDP/TCP/SCTP/IP kind of DLT" attached to *any*
traces; those are all protocols running atop the link layer. There is 
a DLT_RAW link layer used for packets where there *is* no link-layer
header.
Gaurav: I checked man page of pcap and it says DLT_RAW means packet begins with IP header.
Yes, that's what "There is a DLT_RAW link layer used for packets where there *is* no link-layer 
header" means.


Gaurav: We are using HDLC protocol while configuring WANPIPE,
So it should be LIP Protocol stack line where card is getting connected and accordingly ARPHRD_ type should be ARPHRD_HDLC.
Only if the card is supplying HDLC headers to the host, which you said wasn't the case.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube