Ethereal-dev: Re: [Ethereal-dev] Encapsulation formats for MTP3 or M3UA?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 02 Aug 2005 01:16:11 -0700
Thomas Steffen wrote:

Yes, that makes sense. Of course linux cooked capture could define
such a type, even though it does not exist as an Ethernet packet type.

It could, where "it" is defined as "the Linux kernel developers". (I.e., it's ultimately not up to us, as we don't define the packet types that are in the address supplied on a recvfrom() on a PF_PACKET/SOCK_DGRAM socket, and that libpcap uses to construct the cooked capture pseudo-header.)

They'd want a type that's not a valid Ethernet type, of course.

That would be useful for me and for any MTP2 interface driver with
Linux capture capability.

Is there any other option to produce a capture file with contains
MTP2, SCTP (and TCP) packets?

MTP2-over-SCTP, or raw MTP2?

The simplest option for a packet with SCTP and TCP packets and *without* an IP header is probably to synthesize a fake IPv4 header and use DLT_RAW. If it's MTP2-over-SCTP, that can handle it.

If it's a mix of raw MTP2 and presumably-IP-based SCTP and TCP, there's no option for that, currently. With pcap-NG:

	http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

you could make the capture have two separate interfaces, one with the raw MTP2 and one with the IP-based packets. Currently, there's no support for reading pcap-NG (in Wiretap or in libpcap), however.