Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How does dumpcap.c communicate linktype when pushing packets

From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Thu, 10 May 2012 18:18:51 -0700
On Thu, May 10, 2012 at 4:14 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On May 10, 2012, at 2:06 PM, Jeff Morriss wrote:
>
>> Richard Sharpe wrote:
>>> Hi folks,
>>>
>>> The problem with my changes to support pcap-ng through pipes seems to
>>> be that I am not communicating linktype correctly.
>>>
>>> What is the secret?
>>
>> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture
>> starts.
>
> Actually, *Wireshark* gets the linktype of the interface(s) as it reads the output of dumpcap.
>
> The question is where *dumpcap* gets the linktype.  From an interface, it gets it from a
> pcap_datalink() call once the interface is open, but that doesn't work on a pipe.  For a pipe,
> cap_pipe_open_live() reads the pcap file header from the pipe and then uses the link-layer header
> type from the file header.
>
> However, if we're going to support capturing from a pipe to which a pcap-ng-format data stream is
> being written, there's no longer a linktype - there's a list of one *or more* interfaces, not all of which
> necessarily have the same link-layer header type.
>
> That might mean that dumpcap's capture-pipe-reading architecture would need to change to (fully)
> support pcap-ng; perhaps that might involve changing the message sequence between dumpcap
> and {Wire,T}shark so that dumpcap sends messages to its client saying "a new interface has
> arrived, here's an Interface Description Block for it" (with an IDB being synthesized from the file
> header if a pcap-format data stream is being read from the pipe).

OK, that give me the hint I was looking for ...

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)