--- Begin Message ---
On Aug 24, 2022, at 11:31 AM, Christian via tcpdump-workers
<tcpdump-workers@lists.tcpdump.org> wrote:
> Hello everyone, another question that I have is which DLT-type I should use
> for my libpcap-module. Since Im writing a module which acquires data from a
> kernel module, which in turn has no IP-based packages at all. I have to
> define my very own data-type from the base onwards. But because this is
> nothing worth to release (maybe only for documentation of an example) I would
> rather use a DLT_USERn linktype. But this is only defined on applications
> which use pcap lib, not libpcap itself?
"Defined" in what sense?
The only ways in which the code in the libpcap library "defines" a
LINKTYPE_/DLT_ value's format are
1) the code that compiles filter expressions needs to know the format
of the data in a packet of a given link-layer type;
2) in order to deal with some link-layer header types where data is in
the byte order of the host that wrote the file, libpcap, when reading a file,
may have to byte-swap host-byte-order fields from the byte order of the host
that wrote the file into the byte order of the host that's reading the file if
the two are different, and the remote-pcap protocol code must do so with packet
data from a remote server if the byte orders of the two hosts are different.
Code that reads pcap and pcapng files, whether with libpcap or independent code
for reading pcap and pcapng files, has to provide its *own* code to interpret
the packets; if a new LINKTYPE_/DLT_ value is added, neither tcpdump nor
Wireshark nor any other program will acquire the ability to handle that file
format as a result of any changes to libpcap for that format - new code will
have to be written for those programs.
I.e., making tcpdump or Wireshark or... handle your data-link type is up to
you. You'l have to modify tcpdump or Wireshark, or add a plugin for Wireshark.
(And note that code that processes those files doesn't define the formats; they
follow the definitions of the formats. The *definitions* of the formats are
currently at
https://www.tcpdump.org/linktypes.html
However, those definitions themselves may refer to other specifications. For
example, the format of LINKTYPE_ETHERNET/DLT_EN10MB packet data is really
defined by the LAN/MAN Standards Committee of the IEEE Computer Society, not by
The Tcpdump Group or the libpcap code.)
> Another question is: how to map the structure(s) in which I define my data
> types with the symbol in dlt.h?
"Map" in what sense?
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers