Wireshark · Ethereal-users: Re: [Ethereal-users] protocol identification in libpcap header

Ethereal-users: Re: [Ethereal-users] protocol identification in libpcap header - help needed

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Guy Harris" <gharris@xxxxxxxxx>

Date: Thu, 10 Jun 2004 10:08:21 -0700 (PDT)

vidyadhari dharmaraju said:
> I am trying to find how are the ppp,ip,tcp.udp,arp,ethernet captures
> distinguished by the libpcap format.

There are no "tcp", "udp", or "arp" captures.  There are PPP, "raw IP",
and Ethernet captures, but the libpcap format knows nothing about TCP,
UDP, or ARP.  There can be TCP, UDP, and ARP packets in libpcap files, but
those must also be PPP, "raw IP", Ethernet, etc. packets, and there's
nothing, other than the raw packet data, that indicates whether they're
TCP, UDP, or ARP packets.

> I have understood that "network" field in the libpcap header indicates the
> type of the capture. For example,
>
> 0x3200 0000  indicates capture starting with PPP frame

No.  9 or 48, in whatever byte order happens to be used in the capture
file, indicates a capture containing PPP packets; that could be
0x00000032, 0x00000009, 0x32000000, or 0x09000000, depending on the byte
order of the host doing the capture.  The byte order of values in the file
header and the packet header is determined by looking at the magic number
in the header and seeing what byte order *it* has.

> 0x6A00 0000 indicates capture starting with classic IP

The same byte order issues apply there.

Note that if you use libpcap to read a capture file, you just call
"pcap_datalink()" to get the link-layer type, and it'll take care of the
byte-order issues for you.

> like wise, can anyone tell me how to identify other protocol captures?? Or
> can you please tell me where should I look into Ethereal source code to
> get these numbers??

You should be using libpcap (or one of the wrappers for libpcap for
whatever programming language you're using, e.g. Net::Pcap for Perl) to
read the capture file, if you can.

If you're using libpcap, the values are defined either in
"/usr/include/net/bpf.h" or "/usr/local/include/net/bpf.h" (or wherever
that file happens to be installed) in older versions and
"/usr/include/pcap-bpf.h" or "/usr/local/include/pcap-bpf.h" (or wherever
that file happens to be installed) in newer versions.  Look for all the
DLT_ definitions in that file.

References:
- [Ethereal-users] protocol identification in libpcap header - help needed
  - From: vidyadhari dharmaraju

Prev by Date: Re: [Ethereal-users] determining AP auth mode (open system or shared key) based on probe response
Next by Date: [Ethereal-users] Using editcap for file conversion
Previous by thread: [Ethereal-users] protocol identification in libpcap header - help needed
Next by thread: [Ethereal-users] Using editcap for file conversion
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$