Hi again, Any will return a header of type DLT_LINUX_SLL.
It's defined here: (From the man page) ----------------------------------- DLT_LINUX_SLL Linux "cooked" capture encapsulation; the link layer header contains, in order: a 2-byte "packet type", in network byte order, which is one of: 0 packet was sent to us by somebody else 1 packet was broadcast by somebody else 2 packet was multicast, but not broadcast, by somebody else 3 packet was sent by somebody else to somebody else 4 packet was sent by us a 2-byte field, in network byte order, containing a Linux ARPHRD_ value for the link layer device type; a 2-byte field, in network byte order, containing the length of the link layer address of the sender of the packet (which could be 0); an 8-byte field containing that number of bytes of the link layer header (if there are more than 8 bytes, only the first 8 are present); a 2-byte field containing an Ethernet protocol type, in network byte order, or containing 1 for Novell 802.3 frames without an 802.2 LLC header or 4 for frames beginning with an 802.2 LLC header. ----------------------------------- To handle this, if you are only using the any device, then you could simply create a structure like this one to replace your Ethernet one (ether_header). struct dlt_linux_sll { u_short packet_type; u_short ARPHRD; u_short slink_length; u_short bytes[4]; u_short ether_type; }; Cast your packet as this, and then read ether_type as before. - Pete -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of aman Reddy Sent: 09 December 2004 16:16 To: [EMAIL PROTECTED] Subject: Re: [tcpdump-workers] some problem in the source code Hi Peter, But one thing I didn`t understand is If I keep "any" as the first argument to the pcap_open_live() then it will capture packets coming from the devices like etho or eth1 which are ethernet type. U mean if I capture packet using eth0 interface then I will get ethernet link layer header and using "any" I will get different header type. Then how to dissect this kind of packet. please help me, Regards, Aman. --------------------------------- Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard.- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.