LEGO wrote:
dissector_add("ppp.protocol", ETHERTYPE_IP,
ip_handle);
a different way to do IP over PPP (?)
More like "a different way of constructing a network stack", i.e.
Microsoft's way of constructing it, in which everything above the link
layer expects packets that look like Ethernet packets, and there's a
"glue layer" (NDISWAN) that translates between PPP and Ethernet packets,
and, apparently, you can, when capturing with WinPcap, see packets with
PPP headers with Ethernet types rather than PPP types in the prtoocol field.
dissector_add("null.type", BSD_AF_INET, ip_handle);
IP over .... a null socket type????
IP over BSD loopback interfaces; the DLT_ name for that is DLT_NULL.
There's really nothing "null" about it - there's a link-layer header for
them, containing a 4-byte BSD address family value.
dissector_add("chdlctype", ETHERTYPE_IP, ip_handle);
IP over ????
IP over "Cisco HDLC", a pre-PPP Cisco scheme for encapsulating packets
on a synchronous serial line.
dissector_add("osinl.excl", NLPID_IP, ip_handle);
IP over OSI Network Layer???
IP over the same layering scheme used for the OSI networking layer, with
a 1-byte protocol type field.
dissector_add("wtap_encap", WTAP_ENCAP_RAW_ICMP,
icmp_handle);
First one is ok that ICMP packet processed
IP header and then giving data part to ICMP but what
is other thing wtap_encap?
This I realy do not know, it might well be ICMP found raw in a pcap
file by wiretap.
Yes, it's raw ICMP in HP-UX nettl files.