Ethereal

Re: [Ethereal-users] capturing packets
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: September 2001

 

> I am running latest ethereal version-0.8.19 on aix. I am using a filter
> 
> src host <ip addr> and dst host <ip addr>
> It gives me a list of captured packets but in the src and dest fields, it
> says N/A for all the packets.In the protocol field it says 0x1840 (instead
> of SCTP, as I am running SCTP test runs on both the machines)for all the
> packets and in the info field it says PPP(unknown 0x1840).

Are you capturing on a Token Ring device?

If so, then...

> I was wondering if this is the right format or if I am missing something.

...what you're missing is an OS whose libpcap is compatible with normal
libpcaps.

I infer from some other stuff I've seen that AIX's libpcap has several
incompatibilities with standard libpcap:

	1) they use nanosecond-resolution rather than
	   microsecond-resolution time stamps;

	2) they use SNMP interface type values rather than DLT_ values.

One could, perhaps, make arguments for both of those being improvements
- but they only constitute improvements if

	1) they don't actually export libpcap to applications (i.e.,
	   only if they do not supply a "pcap.h")
or

	2) they changed the names of the routines, so that you can't
	   compile and link a program expecting standard libpcap
	   behavior with the non-standard libpcap

or

	3) they provide additional APIs to turn on the non-standard
	   behaviors (e.g., have "pcap_datalink()" return a DLT_ value
	   and have "pcap_iftype()" or whatever return the SNMP
	   interface type value, and have a "pcap_set_ns_resolution()"
	   routine to arrange that you get nanosecond resultion in time
	   stamps).

> Here I would like to mention that I am using libpcap on aix(IBM's libpcap)
> and not dlpi for capturing packets.

I would suggest that you either

	1) use the current CVS version of libpcap, and configure it to
	   use DLPI

or

	2) if AIX comes with a "pcap.h" that defines DLT_IEEE802 as 6,
	   complain to the AIX group in IBM, asking them to fix their
	   libpcap so that it's compatible with normal libpcaps

or

	3) get the current CVS version of libpcap, configure it to use
	   BPF, and modify it to, on AIX, convert the value it gets back
	   from BIOCGDLT from an IFT_ value (as defined in, I suspect,
	   <net/if_types.h>) to the correspnding DLT_ values.

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.