I tried some limited token-ring testing on AIX 5.1 and the results look good so far. The timestamp conversion from nanoseconds to microseconds appears to be correct, and the linktype is reported as 1 for ethernet and 6 (DLT_IEEE802 or LINKTYPE_TOKEN_RING) for token-ring. This should allow platform transparency for those who need to move tcpdump capture files between different platforms. Sadly, this is the very same value that the 'native' AIX tcpdump uses to indicate ethernet, which is sure to cause problems for the unwary.
The speculation that the AIX BPF implementation derives linktype from the IFT_ definitions instead of the DLT_ ones appears to be correct. The native AIX tcpdump uses these values from /usr/include/net/if_types.h #define IFT_ETHER 0x6 /* Ethernet CSMACD */ #define IFT_ISO88023 0x7 /* CMSA CD */ #define IFT_ISO88025 0x9 /* Token Ring */ The open version uses these values from /usr/include/net/bpf.h #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #define DLT_IEEE802 6 /* IEEE 802 Networks */ I don't have a system configured to use IEEE802.3 ethernet (interface et0) instead of ethernet II, but I suspect that we would see a linktype of 7. Don Ebright - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
