On May 29, 2009, at 5:23 AM, Selçuk Cevher wrote:
How can I determine the protocol running on data link layer (i.e.,
Ethernet, Wi-Fi 802.11, etc) while analyzing packets in a "merged"
dumped file with pcap format if the pcap file contains a mixture of
packets with various data link layer protocols ?
The only way a pcap file can validly contain a mixture of packets with
various link layer protocols is if the *single* link-layer header type
in the file is one of the few that support a per-packet link-layer
type (such as DLT_ERF); the ones normally used when capturing with
Wireshark don't support that, so you can't, for example, produce a
valid pcap file by merging an Ethernet and an 802.11 capture (unless
the 802.11 capture has fake Ethernet headers rather than 802.11 or
802.11+radio headers).
libpcap has pcap_datalink(...) function allowing us to determine the
data link layer protocol for live capture -- it gets this
information directly from the actual network interface that is
sniffed on.
However, in the case of offline analysis, it seems pcap_datalink()
will not work since it is not possible to know what kind of
interface those packets came from.
It is, because the header of a pcap capture file includes a link layer
header type value. It includes only one, however.