Wireshark-dev: Re: [Wireshark-dev] How does dumpcap.c communicate linktype when pushing packets
From: Richard Sharpe <[email protected]>
Date: Thu, 10 May 2012 18:49:24 -0700
On Thu, May 10, 2012 at 6:18 PM, Richard Sharpe
<[email protected]> wrote:
> On Thu, May 10, 2012 at 4:14 PM, Guy Harris <[email protected]> wrote:
>>
>> On May 10, 2012, at 2:06 PM, Jeff Morriss wrote:
>>
>>> Richard Sharpe wrote:
>>>> Hi folks,
>>>>
>>>> The problem with my changes to support pcap-ng through pipes seems to
>>>> be that I am not communicating linktype correctly.
>>>>
>>>> What is the secret?
>>>
>>> IIRC Wireshark gets the linktype of the interfaces BEFORE the capture
>>> starts.
>>
>> Actually, *Wireshark* gets the linktype of the interface(s) as it reads the output of dumpcap.
>>
>> The question is where *dumpcap* gets the linktype.  From an interface, it gets it from a
>> pcap_datalink() call once the interface is open, but that doesn't work on a pipe.  For a pipe,
>> cap_pipe_open_live() reads the pcap file header from the pipe and then uses the link-layer header
>> type from the file header.
>>
>> However, if we're going to support capturing from a pipe to which a pcap-ng-format data stream is
>> being written, there's no longer a linktype - there's a list of one *or more* interfaces, not all of which
>> necessarily have the same link-layer header type.
>>
>> That might mean that dumpcap's capture-pipe-reading architecture would need to change to (fully)
>> support pcap-ng; perhaps that might involve changing the message sequence between dumpcap
>> and {Wire,T}shark so that dumpcap sends messages to its client saying "a new interface has
>> arrived, here's an Interface Description Block for it" (with an IDB being synthesized from the file
>> header if a pcap-format data stream is being read from the pipe).
>
> OK, that give me the hint I was looking for ...

If I forcibly set the linktype to 1 when reading the first header (the
SHB) during pcap_live_open, then things work as I expect.

Now to figure out the communication between dumpcap and Wireshark et al.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)