I got my hands on some captures from a Linux box and saw
something I don't quite understand:
> tethereal -Vr 6wind-cone-nat.pcap
Frame 1
...
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: 00:06:25:9a:d5:3a (LinksysG_9a:d5:3a)
...
Frame 2
...
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
I don't understand how frame 1 (incoming) has a link-layer header, but frame
2 has not? The link-layer must be added at some point and that point is after
the tap-point ? The capture was written by "tcpdump -i any ..", so I assume
the frames came from different devices (eth/ppp) with different link-layers. Is
there no way to show from which device a frame was captured? Some heuristics
based on the "Link-layer address type" maybe?
Also, tcpdump with the '-e' option is a bit confusing:
> tcpdump -ter 6wind-cone-nat.pcap
reading from file 6wind-cone-nat.pcap, link-type LINUX_SLL (Linux cooked)
< 00:06:25:9a:d5:3a ip 121: 192.168.1.64.3100 > 195.220.208.2.3544: UDP, length 77
> ip 121: ALille-210-1-13-139.w217-128.abo.wanadoo.fr.3100 > 195.220.208.2.3544: UDP, length 77
should maybe say "<no link-layer>" or something (if eflag!=0). And showing incoming
direction as "<". Is it usually vice-versa; in as ">" and out as "<"? I.e. from left (outside
the screen) indicating it came from the outside.
--gv