Wireshark-dev: Re: [Wireshark-dev] DLT assignment request

From: Stephen Donnelly <stephen@xxxxxxxxxx>
Date: Fri, 27 Jul 2007 12:30:03 +1200
Hi Jeff,

On Thu, 2007-07-26 at 13:54 -0400, Jeff Morriss wrote:
> Stephen Donnelly wrote:
> > The only alternative I can see would be assigning new DLTs on a 1:1
> > basis with ERF types, however there are already 19 ERF types defined and
> > I feel this would unnecessarily consume/pollute the libpcap DLT
> > namespace.
> One comment I have (though I am not part of tcpdump-workers) is that DLT 
> values are practically free--there are (potentially) quite a lot of them 
> so "wasting" them doesn't seem to be too much of an issue.
> More important, though, is whether you might have (need to have) 
> multiple ERF types in one file.  The DLT values are (in the current 
> generation file format) set per file so if you had a separate DLT value 
> per ERF type you could not have packets of ERF type 1 and ERF type 2 in 
> the same file.

This is true, and another argument for allowing a 'non specific' ERF
DLT. There is no requirement in ERF traces files or live captures that
all ERF records must be of the same type.

For instance when capturing from multiple interfaces simultaneously or
from channelised links you can receive both ATM and HDLC ERF record
types in the same data stream.

    Stephen Donnelly BCMS PhD           email: sfd@xxxxxxxxxx
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378