Hi,
I'm trying to capture packets from an Intel WiFi 5100 interface, under
ubuntu 10.04. If I run tcpdump or any equivalent (like wireshark), I see
the interface datalink is set to EN10MB and the data retrieved is rather
self explaining with standard ethernet mac header plus IP/TCP headers..
Instead, if I start capturing with my application liked against libpcap
the link later type is set to LinuxSLL (namely "Linux Coocked SLL").
This configuration is imposed by default as I start capturing with
"pcap_open_live" function, and I can retrieve it with "pcap_datalink"
function, while I can list all the available datalinks for a given
interface with "pcap_list_datalinks". I can change the datalink with
"pcap_set_datalink".
What came out is that I'm using LINUX_SLL datalink type, and that's the
only available one for the interface considered.
This is odd as I see tcpdump setting the datalink to EN10MB for that
same interface.
Another strange thing is that the packet bytes retrieved seem to only
partially resemble this LinuxSLL header (which is briefly described here
http://www.manpagez.com/man/7/pcap-linktype/).
Just to give a short example: a plain retrieved packet data looks like
the following:
00 01 00 01 00 06 00 90 7f 42 01 6b 00 00 08 06 00 01 08 00 06 04 00 ...
00 01 = packet type (pkt was broadcast by somebody else)
00 01 = ?
00 06 = ?
00 90 7f 42 01 6b = THis is a mac address...
00 00 = ?
08 06 = ethernet frame type
00 01 ... = IP packet header.
I can't find a proper way to read these bytes correctly, while tcpdump
easily puts the interface in datalinktype "EN10MB" and returns the
standard ethernet headers which I'm used to!. How does it do the work?
What data am I looking at when a read these packets with these strange
header's bytes???
Thanks in advance,
RM
I'd really need your help with this.
Similar Threads
Linear Mode
