On Aug 18, 2015, at 9:22 AM, Jim Young <jyoung@xxxxxxx> wrote:
> Instead of supplying an ethernet header with the mac addresses of all zeros, would it make more sense to supply a NULL/Loopback encapsulation type to packets captured in the Npcap LoopBack Interface?
It looks as if the loopback interface supplies only IPv4 and IPv6 packets.
In that case, either DLT_NULL, DLT_LOOP, or DLT_RAW would work.
For DLT_NULL and DLT_LOOP, the packet has a 4-byte header followed by the IP datagram. For DLT_NULL, the 4-byte header is in the byte order of the host on which the capture is being done; for DLT_LOOP, it's in network byte order. The value is 2 for IPv4 and, for IPv6:
24 for OpenBSD, NetBSD, and BSD/OS;
28 for FreeBSD;
30 for OS X and iOS;
10 for Linux;
26 for Solaris;
23 for Windows;
because 4.2BSD defined AF_INET to be 2 but, as IPv6 didn't exist yet, didn't define AF_INET6, so everybody ran off and defined it differently.
For DLT_RAW, the packet begins with the IP datagram; code to dissect the packet looks at the version number in the IP header to determine whether it's IPv4 or IPv6.