[tcpdump-workers] DLT type for Libpcap Library

Guy Harris gharris at sonic.net
Sun Aug 28 16:24:40 EDT 2022


On Aug 24, 2022, at 11:31 AM, Christian via tcpdump-workers <tcpdump-workers at lists.tcpdump.org> wrote:

> Hello everyone, another question that I have is which DLT-type I should use for my libpcap-module. Since Im writing a module which acquires data from a kernel module, which in turn has no IP-based packages at all. I have to define my very own data-type from the base onwards. But because this is nothing worth to release (maybe only for documentation of an example) I would rather use a DLT_USERn linktype. But this is only defined on applications which use pcap lib, not libpcap itself?

"Defined" in what sense?

The only ways in which the code in the libpcap library "defines" a LINKTYPE_/DLT_ value's format are

	1) the code that compiles filter expressions needs to know the format of the data in a packet of a given link-layer type;

	2) in order to deal with some link-layer header types where data is in the byte order of the host that wrote the file, libpcap, when reading a file, may have to byte-swap host-byte-order fields from the byte order of the host that wrote the file into the byte order of the host that's reading the file if the two are different, and the remote-pcap protocol code must do so with packet data from a remote server if the byte orders of the two hosts are different.

Code that reads pcap and pcapng files, whether with libpcap or independent code for reading pcap and pcapng files, has to provide its *own* code to interpret the packets; if a new LINKTYPE_/DLT_ value is added, neither tcpdump nor Wireshark nor any other program will acquire the ability to handle that file format as a result of any changes to libpcap for that format - new code will have to be written for those programs.

I.e., making tcpdump or Wireshark or... handle your data-link type is up to you.  You'l have to modify tcpdump or Wireshark, or add a plugin for Wireshark.

(And note that code that processes those files doesn't define the formats; they follow the definitions of the formats.  The *definitions* of the formats are currently at

	https://www.tcpdump.org/linktypes.html

However, those definitions themselves may refer to other specifications.  For example, the format of LINKTYPE_ETHERNET/DLT_EN10MB packet data is really defined by the LAN/MAN Standards Committee of the IEEE Computer Society, not by The Tcpdump Group or the libpcap code.)

> Another question is: how to map the structure(s) in which I define my data types with the symbol in dlt.h?

"Map" in what sense?


More information about the tcpdump-workers mailing list