On Tue, Aug 06, 2002 at 10:16:02PM +0100, Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx wrote:
> text2pcap.exe should be in your ethereal install directory. It works
> perfectly for Ethernet text. However I cannot get Token ring text to be
> reimported.
>
> >From net/bpf.h:
> #define DLT_EN10MB 1 /* Ethernet (10Mb) */
> #define DLT_PRONET 4 /* Proteon ProNET Token Ring */
> So I assume that text2pcap -l 4 should import token ring.
You appear to be assuming that the term "Token Ring" refers to a single
unique type of network.
It doesn't.
There was an old token ring network from Proteon, called ProNET, which I
think antedated IEEE 802.5 (and may have antedated IBM's token ring).
The folks who did BPF reserved a DLT_ value for it, but never wrote any
libpcap or tcpdump code for it (or, at least, never put it into a public
release, just as they never put out, as far as I know, any public code
for the old experimental 3Mb Ethernet, AX.25, MIT CHAOS, or ARCNET).
There's also the 802.5 token ring standard (which I *think* may be based
on the IBM token ring); they didn't provide a DLT_ value for it.
For some unknown reason, they *did* provide a DLT_ type for "IEEE 802
Networks", the fact that there are several *different* types of 802
networks, with different link-layer headers, nonwithstanding.
Various Linux and BSD systems, and possibly other systems, hijacked that
"DLT_IEEE802" value to mean IEEE 802.5 token ring; that's what the
current libpcap, tcpdump, and Ethereal use it for.
So the right value for IEEE 802.5 token ring is 6:
#define DLT_IEEE802 6 /* IEEE 802 Networks */
not 4.