On Oct 23, 2011, at 2:17 PM, Keith French wrote:
> Please can you give me some idea of the syntax to use with text2pcap - I cannot see anything in the help referring to a "DLT_ value" (in fact I'm not sure what a DLT_ is anyway).
I wasn't sure what terminology was being used; it turns out the text2pcap man page uses the terminology I prefer, which is "link-layer type value" (well, actually, I prefer "link-layer header type value", as it specifies what headers appear at the beginning of the packet, regardless of the actual link-layer type):
$ man text2pcap
...
−l Specify the link‐layer type of this packet. Default is Ethernet
(1). See net/bpf.h for the complete list of possible
encapsulations. Note that this option should be used if your dump
is a complete hex dump of an encapsulated packet and you wish to
specify the exact type of encapsulation. Example: −l 7 for ARCNet
packets.
(I need to update that to say "see http://www.tcpdump.org/linktypes.html for the complete list of possible encapsulations.) They've become known as DLT_ values, from the #defines used in net/bpf.h; however, in some cases, the actual value in the file is different from the DLT_ #define, thanks to various BSDs picking different numerical values for the same link-layer header type - tcpdump.org assigned a separate link-layer header type value, for use in capture files, for that link-layer header type, so that a file produced on one OS could be read on another OS.)
In any case, the syntax for that would be "-l 203" as a command-line argument to text2pcap.