Re: [tcpdump-workers] Request for new DLT for RFTAP

Wed, 31 Aug 2016 12:00:32 -0700 

On Aug 31, 2016, at 11:49 AM, Jonathan Brucker <jonathan.bru...@gmail.com> 
wrote:

> On Wed, Aug 31, 2016 at 6:27 PM, Guy Harris <g...@alum.mit.edu> wrote:
>> On Aug 31, 2016, at 11:03 AM, Jonathan Brucker <jonathan.bru...@gmail.com> 
>> wrote:
>> 
>>> RFtap is here to bridge this gap, for all protocols.
>> 
>> That's exactly why I don't like its current design!
>> 
>> Can we please kill off the idea of meta-data headers that contain link-layer 
>> header types, so that you have a LINKTYPE_/DLT_ value where the packet 
>> payload could have extremely different protocol link-layer header types, now 
>> and forever?
>> 
>> Now, if you want to provide the *measured* information in a 
>> protocol-independent fashion, a better way, that doesn't have the "LINKTYPE_ 
>> value says nothing whatsoever about the actual link-layer protocol" problem, 
>> we could have *multiple* LINKTYPE_ values, for "RFtap followed by Radiotap 
>> followed by 802.11" and "RFtap followed by GSMTAP followed by GSMTAP 
>> payload" and so on.
> 
> We could split the 32-bit value of LINKTYPE

It's a 16-bit value in pcapng:

        
http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#rfc.section.4.2

so you don't have 32 bits to use.

>>> The cross section of BPF users and RFtap users may be empty.
>>> RFtap is more oriented towards higher-level tools such as Wireshark
>>> and Scapy.
>> 
>> You are aware that Wireshark, at least, uses libpcap/WinPcap to capture, and 
>> therefore uses BPF when capturing?  I'm not sure about Scapy, but it might 
>> support libpcap filters as well.
> 
> Sure, I meant users that actually use the *filters* in BPF. For higher
> level tools, BPF is mostly used just a conduit, with a filter to
> accept all packets.
> The RFtap the filtering is expected to be done mostly using Wireshark
> dissectors or Scapy dissectors.

Actually, the Wireshark developers expect people to do libpcap-layer filtering 
when using Wireshark, and often recommend doing it.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Reply via email to