Re: [tcpdump-workers] [RFC TCPDUMP PATCH 2/2] Add sll_ifindex into sll_header + use it to print ifname

Tue, 31 Jul 2018 05:11:04 -0700 

 ---- On Fri, 13 Jul 2018 08:40:47 +0100 Denis Ovsienko <de...@ovsienko.info> 
wrote ---- 
 >  ---- On Thu, 12 Jul 2018 20:38:08 +0100 Guy Harris <ghar...@sonic.net> 
 > wrote ---- 
 >  > On Jul 12, 2018, at 11:33 AM, Petr Vorel <pvo...@suse.cz> wrote: 
 >  >  
 >  > > +#ifdef PCAP_SUPPORT_SLL_V2 
 >  > > +    char ifname[IF_NAMESIZE]; 
 >  > > +    if (if_indextoname(EXTRACT_BE_U_6(sllp->sll_ifindex), ifname)) 
 >  > > +        ND_PRINT("IFNAME %s ", ifname); 
 >  > > +#endif 
 >  >  
 >  > What happens if you capture traffic on machine A and print it on machine 
 > B, where machines A and B have different sets of network interfaces? 
 >  >  
 >  > (This is why pcapng has Interface Description Blocks - so that the list 
 > of interfaces is part of the file, so you use *that*, rather than the 
 > configuration of interfaces on the machine running the program reading the 
 > capture, to get interface names.) 
 > 
 > What if the MBZ field of SLL2 encoding was first, and its values meant the 
 > following:
 > 
 > * 0x0000: the rest of the packet structure is a packet (like it is now)
 > * 0x0001: interface X exists, has name Y and is up (down) and is (is not) in 
 > promiscuous mode
 > * 0x0002: interface X no longer exists
 > 
 > Then in future it will be possible to interleave packet events with 
 > interface events. At the start of the capture it will be possible to have a 
 > sequence of interface declarations before any packets, and later on it will 
 > be possible to encode the interface name changes in the middle of the packet 
 > events. Then it will be possible to record the sequence of the events and 
 > interface names more or less accurately (less the synchronization between 
 > the capture buffer and the netlink socket), and to replay later.
 > 

It would be right to attribute the idea of events interleaving properly: the 
suggestion above is very close to or the same as what Paul Evans suggested 
before me on 11 April 2018 in 
https://github.com/the-tcpdump-group/tcpdump/issues/296

It could have been made even before that elsewhere, but I do not have exact 
information at this time.

-- 
    Denis Ovsienko


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Reply via email to