Wireshark-dev: Re: [Wireshark-dev] Npcap 0.04 call for test

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 18 Aug 2015 10:45:17 -0700
On Aug 18, 2015, at 9:22 AM, Jim Young <jyoung@xxxxxxx> wrote:

> Instead of supplying an ethernet header with the mac addresses of all zeros, would it make more sense to supply a NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface?

It looks as if the loopback interface supplies only IPv4 and IPv6 packets.

In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.

For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP datagram.  For DLT_NULL, the 4-byte header is in the byte order of the host on which the capture is being done; for DLT_LOOP, it's in network byte order.  The value is 2 for IPv4 and, for IPv6:

	24 for OpenBSD, NetBSD, and BSD/OS;
	28 for FreeBSD;
	30 for OS X and iOS;
	10 for Linux;
	26 for Solaris;
	23 for Windows;

because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't define AF_INET6, so everybody ran off and defined it differently.

For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet looks at the version number in the IP header to determine whether it's IPv4 or IPv6.