On Thu, Feb 13, 2003 at 04:34:18PM -0500, Balendran Bala wrote:
> I have a question about the ATMSNOOP capture.
>
> Well, Does LLC/SNAP header is part data in ATMSNOOP capture?
Yes, *IF* the packets are LLC-encapsulated. atmsnoop captures can have
LANE, SSCOP, ILMI, etc. traffic in them as well.
Furthermore, before the LLC/SNAP header, you need to put an atmsnoop
header, which consists of, in order:
one byte of flags;
one byte of VPI;
two bytes of *big-endian* VCI.
The flags have:
in the uppermost bit (0x80), a bit that's 1 if the traffic is
from DCE to DTE and 0 if the traffic is from DTE to DCE;
in the lower 4 bits (0x0F), the type of traffic:
1 LANE
2 LLC-multiplexed (LLC/SNAP) traffic
3 MARS (RFC 2022)
4 IFMP (Ipsilon Flow Management Protocol - see RFC
1954)
5 ILMI
6 Signalling AAL (SSCOP/Q.2931)
> Basically,
> what I am trying to find out is that in order to save a Classical IP capture
> in ATMSNOOP format, do we have save LLC/SNAP information too?
Yes, *and* the atmsnoop header.
However, if it's just Classical IP, it's simpler to save the capture in
libpcap format, with a link-layer type of 106, in which case you just
write out the LLC/SNAP header and payload.
And if you *only* have IPv4 traffic (no ARP or IPv6, for example), and
don't even want to bother with the LLC/SNAP header, you can save it as a
"raw IPv4" libpcap capture, with a link-layer type of 101, and no header
in front of the IPv4 header.