Stephen Donnelly wrote:
The only alternative I can see would be assigning new DLTs on a 1:1
basis with ERF types, however there are already 19 ERF types defined and
I feel this would unnecessarily consume/pollute the libpcap DLT
namespace.
One comment I have (though I am not part of tcpdump-workers) is that DLT
values are practically free--there are (potentially) quite a lot of them
so "wasting" them doesn't seem to be too much of an issue.
More important, though, is whether you might have (need to have)
multiple ERF types in one file. The DLT values are (in the current
generation file format) set per file so if you had a separate DLT value
per ERF type you could not have packets of ERF type 1 and ERF type 2 in
the same file.