Define DLT_LINUX_SLL2

[leonerd]

As required in order to be able to dump both interface index and packet direction. Header structure copied from the current form of 'struct sockaddr_sll' on Linux, a very early version of which was used by the original LINKTYPE_LINUX_SLL but Linux's actual structure has changed much since then.

Required for the-tcpdump-group/libpcap#127

[guyharris]

As required in order to be able to dump both interface index and packet direction. Header structure copied from the current form of 'struct sockaddr_sll' on Linux

That's not a feature.

Having just added SLL2 support to Wireshark, it's much more convenient if the protocol field is at the end of the header, after the ARPHRD_ type of the interface. For most ARPHRD_ values, the protocol field is a standard Ethernet type or special Linux value; however:

1. for ARPHRD_IPGRE, it's a GRE protocol type;

2. for ARPHRD_NETLINK, it's a Netlink protocol type.

For SLL, we can just parse the header without doing look-ahead; if the ARPHRD_ type comes after the protocol type, as it does for SLL2, we have to do some extra look-ahead.

In addition, for ARPHRD_NETLINK, the Netlink messages themselves are in host byte order; if we use the extra 2 reserved bytes to store the value 0x0123, in the byte order of the host doing the capture, that lets dissectors determine the byte order of the messages without having to do heuristics.

(I'm also looking into whether there's a way to get some extra data for ARPHRD_IPGRE into that field, although that might be harder, as that information is in the link-layer header in the skbuff, and, as "any" captures are done on a cooked socket and thus discard the link-layer header, that might be difficult or impossible.)

So how about

struct header {
	uint16_t hatype;		/* link-layer address type */
	uint8_t  pkttype;		/* packet type */
	uint8_t  halen;			/* link-layer address length */
	uint8_t  addr[SLL_ADDRLEN];	/* link-layer address */
	int32_t  if_index;		/* 1-based interface index */
	uint16_t hatype_specific;	/* dependent on sll3_hatype */
	uint16_t protocol;		/* protocol */
};

We could either 1) make that LINKTYPE_LINUX_SLL3/DLT_LINUX_SLL3 or, as this version of libpcap hasn't been released yet (nor have the versions of tcpdump or Wireshark that handle SLL2), possibly redefine LINKTYPE_LINUX_SLL2/DLT_LINUX_SLL2.

[pevik]

@guyharris Thanks for the explanation. I'd be for redefine LINKTYPE_LINUX_SLL2/DLT_LINUX_SLL2.

[infrastation]

If you redefine it, would it be difficult to find a place for storing two timestamps in the same go (start of capture and end of capture) as described some time ago on tcpdump-workers? So that it is later clear that the capture covers 24 hours of real time, even though the stored packets cover a 1 hour interval, for example.