On Thu, Mar 07, 2002 at 04:13:02PM -0500, Ebright, Don wrote: > I tried some limited token-ring testing on AIX 5.1 and the results look good > so far.
Have you run into the EFAULT problem yet? > The timestamp conversion from nanoseconds to microseconds appears > to be correct, and the linktype is reported as 1 for ethernet and 6 > (DLT_IEEE802 or LINKTYPE_TOKEN_RING) for token-ring. This should allow > platform transparency for those who need to move tcpdump capture files > between different platforms. Sadly, this is the very same value that the > 'native' AIX tcpdump uses to indicate ethernet, which is sure to cause > problems for the unwary. Fortunately, it appears that AIX's libpcap uses a minor version number of 2 in its capture files, rather than the minor version number of 4 that current libpcap uses. The capture file reading library in Ethereal assumes that a libpcap capture file with a minor version number of 2 and a link-layer type of 6 (Ethernet), 8 (a typo for 9 for Token Ring, which I'll fix now), or 15 (FDDI) is an AIX tcpdump capture file. This leaves it vulnerable to misreading old libpcap capture files, but libpcap has used a version of 4 going back at least as far as the last LBL release, the 0.4 release, so I suspect a file with a version number of 2 is more likely to be an AIX capture file than an old libpcap capture file. I don't know whether we'd want to put a similar hack into libpcap or not. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
