Ok, thanks. The reason I ask is I'm writing wiretap support for the Firestorm NIDS (http://www.scaramanga.co.uk/firestorm) alert log which dumps out the sll layer too. I have an "Alert" dissector first, so I need to call the sll dissector rather than just set the encap whilst reading.
Firestorm uses an mmapped packet socket for capture, so the sll structure is different too (tpacket_hdr + alignment + sockaddr_ll + alignment). Bit of a pain really as I've had to mod packet-sll to detect this and act accordingly. I may just check the ethertype inside the sll in my alert handler and jump directly to ether. Unless somebody thinks mmapped packet socket sll support would be useful? (I'm not sure where else this would crop up) It might be nice to be able to capture using this method... has anybody thought about this before? ~John. On Thu, 2003-02-13 at 01:00, Guy Harris wrote: > On Thu, Feb 13, 2003 at 12:30:44AM +0000, John Leach wrote: > > can anybody tell me why the sll dissector isn't registered using the > > register_dissector() function, and therefore can't be found by > > find_dissector() ? > > Because nobody has yet given any reason why any other dissector would > *want* to find it. The Linux SLL header is a top-level link-layer > header, so there's no reason to expect that a packet with that header > would be encapsulated inside another packet. > _______________________________________________ > Ethereal-dev mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-dev -- GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 HTTP: http://www.johnleach.co.uk
signature.asc
Description: This is a digitally signed message part
