Ethereal-users: [ethereal-users] Re: ATM on Linux capture (long note)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Tue, 22 Aug 2000 22:00:57 -0700
On Tue, Aug 22, 2000 at 06:11:01PM -0400, Carl Klatsky wrote:
> I tried the modified libpcap.c that you sent and had the same results as
> before with it being a network that ethereal doesn't support.  I then
> re-built using the modified capture.c and libpcap.c that you sent in
> your e-mail to the mailing list.  With that combo I still get the same
> error, but with the modified message:
> 
> "The network you're capturing from is of a type that Ethereal doesn't
> support (data link type 18)"
> 
> If I understand the way the code is connected, Ethereal needs tcpdump to
> be able to read from the interface type in question in order to pass
> that info onto/into Ethereal.

Nope.  Ethereal doesn't use tcpdump for anything; both of them use
libpcap to capture.

> If that's the case, then I believe my
> underlying problem now is that my tcpdump cannot read from my ATM
> interface.

It's not, but what I suspect *is* the underlying problem causes Ethereal
and tcpdump to have the same problem...

> When I do tcpdump -i atm0, I get a message stating
> "...unknown data type 0x12".

...except that tcpdump reports the problem in hex, for some unknown
reason, whilst Ethereal reports it in decimal.  (12 in hexadecimal is 18
in decimal.)

You probably have either

	1) a "net/bpf.h" header file that doesn't go with the libpcap
	   you have installed

or

	2) more than one "net/bpf.h" header file installed, with tcpdump
	   and Ethereal being compiled with the wrong header file (and
	   perhaps with the tcpdump not being patched to handle Linux
	   ATM).

If header files and libraries get out of sync, all sorts of hell can
break loose.

What does

	ls -l /usr/lib/libpcap* /usr/local/lib/libpcap*

report?

What does

	ls -l /usr/include/net/bpf.h /usr/local/include/bpf.h

report?

> Given the libpcap/capture changes I've received from you, can you point
> me to a "stand alone" tcpdump source that has the up-to-date ATM patches
> for it?

Unfortunately, no, as I don't have the source to whatever Mutant Tcpdump
>From Hell SuSE uses.

> BTW, in the capture.c file file sent out, I had a compile error of:
> capture.c:In function 'do_capture':
> capture.c:278:structure has no member named 'gui_font_name'
> 
> which I commented out and was able to move on from there.

Actually, what you want to do is to revert to the capture.c I sent you,
and then apply the attached patch to it (it backs out a change that's
in the current Ethereal CVS tree - that being what I use for all my
development - that requires a *LOT* of other changes in order to work).
Index: capture.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/capture.c,v
retrieving revision 1.121
retrieving revision 1.120
diff -c -r1.121 -r1.120
*** capture.c	2000/08/20 07:53:29	1.121
--- capture.c	2000/08/19 18:20:56	1.120
***************
*** 275,281 ****
        execlp(ethereal_path, CHILD_NAME, "-i", cfile.iface,
  		"-w", cfile.save_file, "-W", save_file_fd,
  		"-c", scount, "-s", ssnap, 
! 		"-m", prefs.gui_font_name,
  		(cfile.cfilter == NULL)? 0 : "-f",
  		(cfile.cfilter == NULL)? 0 : cfile.cfilter,
  		(const char *)NULL);	
--- 275,281 ----
        execlp(ethereal_path, CHILD_NAME, "-i", cfile.iface,
  		"-w", cfile.save_file, "-W", save_file_fd,
  		"-c", scount, "-s", ssnap, 
! 		"-m", medium_font, "-b", bold_font,
  		(cfile.cfilter == NULL)? 0 : "-f",
  		(cfile.cfilter == NULL)? 0 : cfile.cfilter,
  		(const char *)NULL);