Ethereal-users: Re: [Ethereal-users] capturing packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 11 Sep 2001 14:32:41 -0700 (PDT)
> I am running latest ethereal version-0.8.19 on aix. I am using a filter
> 
> src host <ip addr> and dst host <ip addr>
> It gives me a list of captured packets but in the src and dest fields, it
> says N/A for all the packets.In the protocol field it says 0x1840 (instead
> of SCTP, as I am running SCTP test runs on both the machines)for all the
> packets and in the info field it says PPP(unknown 0x1840).

Are you capturing on a Token Ring device?

If so, then...

> I was wondering if this is the right format or if I am missing something.

...what you're missing is an OS whose libpcap is compatible with normal
libpcaps.

I infer from some other stuff I've seen that AIX's libpcap has several
incompatibilities with standard libpcap:

	1) they use nanosecond-resolution rather than
	   microsecond-resolution time stamps;

	2) they use SNMP interface type values rather than DLT_ values.

One could, perhaps, make arguments for both of those being improvements
- but they only constitute improvements if

	1) they don't actually export libpcap to applications (i.e.,
	   only if they do not supply a "pcap.h")
or

	2) they changed the names of the routines, so that you can't
	   compile and link a program expecting standard libpcap
	   behavior with the non-standard libpcap

or

	3) they provide additional APIs to turn on the non-standard
	   behaviors (e.g., have "pcap_datalink()" return a DLT_ value
	   and have "pcap_iftype()" or whatever return the SNMP
	   interface type value, and have a "pcap_set_ns_resolution()"
	   routine to arrange that you get nanosecond resultion in time
	   stamps).

> Here I would like to mention that I am using libpcap on aix(IBM's libpcap)
> and not dlpi for capturing packets.

I would suggest that you either

	1) use the current CVS version of libpcap, and configure it to
	   use DLPI

or

	2) if AIX comes with a "pcap.h" that defines DLT_IEEE802 as 6,
	   complain to the AIX group in IBM, asking them to fix their
	   libpcap so that it's compatible with normal libpcaps

or

	3) get the current CVS version of libpcap, configure it to use
	   BPF, and modify it to, on AIX, convert the value it gets back
	   from BIOCGDLT from an IFT_ value (as defined in, I suspect,
	   <net/if_types.h>) to the correspnding DLT_ values.