On Dec 23, 2011, at 9:02 PM, [email protected] wrote:
> The "any" device is not an ethernet device, but a virtual thing
> that will bring you (at least on Linux) a "Linux Cooked" header
> instead of an ethernet header.
The "any" device currently only exists on Linux, so there's nothing other than
Linux involved in that case.
> You should google for "linux cooked header".
Or just look at
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
Whenever a program opens a device to perform a capture, or opens a "savefile"
with pcap_open_offline(), one of the first things the program should do is call
pcap_datalink() on the pcap_t * it gets back from the open, to find out the
type of link-layer headers it will get from the pcap_t. See
http://www.tcpdump.org/linktypes.html
for a list of the link-layer header types. Each link-layer header type on that
page has:
a LINKTYPE_ value, which is what appears in the file header of a pcap
file and in an Interface Description Block in a pcap-ng file;
a DLT_ value, which is what pcap_datalink() returns for capture devices
and files with that link-layer header type;
a description.
The program should have a set of DLT_ values that it can handle, and it should
not try to print packets if the DLT_ value isn't one it can handle.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
