[tcpdump-workers] DLT type for Libpcap Library

Christian chris at argonautx.net
Mon Aug 29 09:13:07 EDT 2022


> "Defined" in what sense?
>
First of all, I want to define a header, with a magic byte maybe, a time 
stamp, length of the whole packet and so on. Something which wraps my 
actual data and which libpcap can recognize or rather expect as data 
which can be read from my device node.

Right now, if I try to connect tcpdump with my device node for reading 
and receiving data, I only get a:

listening on kpnode0, link-type 147, snapshot length 262144 bytes

pcap_stats: this operation isn't properly handelst by that device.

My kernel module provides data in packets which is preceded by an header 
which I deliberately defined for libpcap to recognized as data from MY 
device. This is what I understood to do it. My question now is, where 
should I define my datatype within the libpcap source code? I associate 
my data type with the free user defied DLT_USER0, so that is the reason 
why pcap mentioned link-type 147. Im not stuck on that user defined 
type. Maybe it's better to define a whole new data type like e.g. 
DLT_USB_LINUX. Anyway it's nothing destined for release. For now Im just 
happy if libpcap excepts my header data type to read. Filtering and all 
this comes later. I guess I have to make changes in my kernel probe, or 
write a BPF function?

>
>> Another question is: how to map the structure(s) in which I define my data types with the symbol in dlt.h?
> "Map" in what sense?

In a way, so that I can define a struct of my header data (with other 
structs nested maybe) and this struct is asociated as DLT_USER0. Or a 
something similar?

Thanks in advance


BR Christian





More information about the tcpdump-workers mailing list