[tcpdump-workers] LINUX_SLL2

Denis Ovsienko denis at ovsienko.info
Wed Feb 25 05:20:40 EST 2015

---- On Sun, 15 Feb 2015 19:34:37 +0000 Paul "LeoNerd" Evans<leonerd at leonerd.org.uk> wrote ---- 
 > On Tue, 13 Jan 2015 00:29:43 +0200 
 > Denis Ovsienko <denis at ovsienko.info> wrote: 
 > > List, 
 > >  
 > > there is an idea to improve libpcap and tcpdump to enable the latter 
 > > to print interface name (index) and direction of each packet: 
 > >  
 > > https://github.com/the-tcpdump-group/tcpdump/issues/296 
 > > https://github.com/the-tcpdump-group/libpcap/issues/127 
 > >  
 > > It is pretty much clear how to do that: the only way would be through 
 > > a new DLT, a proposal for which is made here: 
 > > https://github.com/the-tcpdump-group/tcpdump-htdocs/pull/3 
 > >  
 > > Let me ask for feedback on this change because the original author 
 > > has issues posting to the mailing list. 
 > So, uhm... 
 > Any thoughts on this so far? I'm really keen to have it applied, 
 > because I already have a full implementation of a tcpdump-like program 
 > that I wrote almost entirely *because* libpcap+tcpdump can't do this. 
 > It would be great to have it supported by core after all. 

There are following differences of the proposed SLL2 from the existing SLL:

1. the Packet type field is 1 byte long (now as in struct sockaddr_ll)
2. same for the Link-layer address length field
3. there is a new Interface index field 4 bytes long (same as in sockaddr_ll)

This makes SLL2 quite close to sockaddr_ll (except the the order of fields and the sll_family field, which is told to be equal to AF_PACKET in this case). In other words, it looks sufficiently good on paper to proceed with the implementation.

    Denis Ovsienko

More information about the tcpdump-workers mailing list