Wireshark-dev: Re: [Wireshark-dev] The IPv6 value "24" in DLT_NULL causes Npcap's BPF filter no

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Thu, 15 Sep 2016 11:51:12 +0800
Hi Guy,

Thanks! If we choose to change libpcap, I think both Wireshark and Npcap driver are not required to be modified any more then. I will test it when the code is submitted:)


Cheers,
Yang

On Thu, Sep 15, 2016 at 11:20 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Sep 13, 2016, at 10:03 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> But the problem is, libpcap  (which is used by Npcap) only supports the value 23 in the BPF filter code.

This is a problem in more ways than one.

For example, if you're running on FreeBSD, and are reading a pcap or pcapng file from NetBSD, and it has loopback packets, a filter checking for IPv6 packets won't work, because it'll be looking for the FreeBSD AF_INET6 (28), but IPv6 packets will have NetBSD's AF_INET6 (24).

So, when reading a capture file, the filter should check for *all* of the possible AF_INET6 values, because there's no way to determine, from the file, which AF_INET6 value was used.

When doing a live capture, it should, if possible, just use whatever the capture mechanism provides, to avoid doing other checks.

I'll fix this up; for now, just keep using 24 - it's not as if any code that wants to read an AF_NULL pcap file can rely on its OS's AF_INET6 being the packet type value *anyway*, it has to check for all platform values (which both tcpdump and Wireshark do).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe