On May 10, 2012, at 2:06 PM, Jeff Morriss wrote:
> Richard Sharpe wrote:
>> Hi folks,
>>
>> The problem with my changes to support pcap-ng through pipes seems to
>> be that I am not communicating linktype correctly.
>>
>> What is the secret?
>
> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture
> starts.
Actually, *Wireshark* gets the linktype of the interface(s) as it reads the output of dumpcap.
The question is where *dumpcap* gets the linktype. From an interface, it gets it from a pcap_datalink() call once the interface is open, but that doesn't work on a pipe. For a pipe, cap_pipe_open_live() reads the pcap file header from the pipe and then uses the link-layer header type from the file header.
However, if we're going to support capturing from a pipe to which a pcap-ng-format data stream is being written, there's no longer a linktype - there's a list of one *or more* interfaces, not all of which necessarily have the same link-layer header type.
That might mean that dumpcap's capture-pipe-reading architecture would need to change to (fully) support pcap-ng; perhaps that might involve changing the message sequence between dumpcap and {Wire,T}shark so that dumpcap sends messages to its client saying "a new interface has arrived, here's an Interface Description Block for it" (with an IDB being synthesized from the file header if a pcap-format data stream is being read from the pipe).
