Hi Sake
Thank you for the response. Unfortunately the information I am after
filtering on is not in a capture file, it only exists in the kernel at
run time, skb->protocol. Hence linking this to dumpcap.
As a packet is processed through the network stack the value of
skb-protocol changes to reflect the next protocol to be inspected.
For example, an AX25 packet is handed to the network interface by the
mkiss driver and skb->protocol == ETH_P_AX25. The packet is then
processed by the AX25 protocol driver and in the case of the payload
being an IP packet skb->protocol is then changed to ETH_P_IP and the
packet handed back to the network interface. So now we have apparently
the same packet appearing on the network interface for a second time,
libpcap can not distinguish between the two as the only difference is
the value of skb->protocol, for which there appears to be no way of
filtering on skb->protocol without resorting to BPF assembler.
I hope I am making sense.
--
Regards
Richard