Wireshark-dev: Re: [Wireshark-dev] Packet Storage

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 8 Mar 2011 08:30:15 -0800
On Mar 8, 2011, at 2:06 AM, Tharaneedharan Vilwanathan wrote:

> The .pcap format allows the packets to be of the same ethernet type,
> right? If so, what is the best way to store the packets of different
> ethernet types in a file?

The pcap format requires that all packets have the same type of *link-layer header*.  That means, for example, that you couldn't mix Ethernet packets, with an Ethernet header, and Wi-Fi packets, with an IEEE 802.11 header in the same file - or even mix Wi-Fi packets with just an 802.11 header and Wi-Fi packets with a radiotap header followed by an 802.11 header in the same file.

However, if by "Ethernet type" you mean the type/length field in the Ethernet header, you *can* have Ethernet packets with multiple Ethernet types in a pcap file - as far as the pcap file format is concerned, they're all Ethernet packets; if some of them are IPv4 packets with an Ethernet type of 0x0800, and some of them are ARP packets with an Ethernet type of 0x0806, and some of them are IPv6 packets with an Ethernet type of 0x86dd, and some of them are Novell IPX packets with an Ethernet type of 0x8137, and others have a length value rather than a type value, that's not a problem.