Date: Tue, 7 Jun 2005 16:47:02 -0400 From: Charles Swiger <cswiger@mac.com> To: Matthew Luckie <mjl@luckie.org.nz> Cc: freebsd-net@freebsd.org Subject: Re: bpf writes on tun device Message-ID: <43393A5D-A13B-4385-A6E3-EDD21343277A@mac.com> In-Reply-To: <42A5FB72.4010603@luckie.org.nz> References: <4295A6CA.8080409@luckie.org.nz> <20050606081637.GA73886@lycra.luckie.org.nz> <20050606120851.GD734@empiric.icir.org> <20050606204008.GA91353@lycra.luckie.org.nz> <20050607101927.GA99034@lycra.luckie.org.nz> <20050607112340.GC812@empiric.icir.org> <42A5FB72.4010603@luckie.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 7, 2005, at 3:54 PM, Matthew Luckie wrote:
>> I'd be wary of changing the definition of DLT_NULL however -- it
>> literally
>> means 'there's nothing here apart from raw data', and changing
>> this notion
>> would mean that we have to change it everywhere, including bpf
>> clients,
>> because the change being proposed would make DLT_NULL mean
>> 'there's a 32-bit
>> integer in front of everything else which is raw data', which is
>> something
>> else.
>
> this was the behaviour expected of most DLT_NULL bpf devices
> already (passing a 32bit int when writing). It is important to
> note that the behaviour of BPF writers does not change in these
> cases, and my patch is merely a bug fix.
Agreed. When you use BPF or PCAP to capture packets, for the
DTL_NULL case there is a 4-byte offset between where PCAP says the
packet starts and where the actual raw IP packet starts.
If you want BPF/PCAP to return packets without the 4-byte offset, the
associated datalink type is actually called DLT_RAW. Note that the
behavior of DLT_NULL is useful in practice, since you can find out
what the "ether type" of the packet was per <net/ethernet.h>:
#define ETHERTYPE_IP 0x0800 /* IP protocol */
#define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */
#define ETHERTYPE_REVARP 0x8035 /* reverse Addr. resolution
protocol */
#define ETHERTYPE_VLAN 0x8100 /* IEEE 802.1Q VLAN tagging */
#define ETHERTYPE_IPV6 0x86dd /* IPv6 */
#define ETHERTYPE_LOOPBACK 0x9000 /* used to test interfaces */
...to distinguish between IPv4, IPv6, ARP traffic, and so forth.
I've written some code that needed to do packet capture and run on a
range of platforms-- FreeBSD, NetBSD, Linux, Darwin, Solaris. I
haven't tested all of the datalink types, so I won't promise that the
offsets below are entirely correct, but this might still be helpful:
/* some platforms define ETHER_HDR_LEN, but not all of them do */
#define DLH_EN (14)
int
datalink_offset(int dltype) {
switch (dltype) {
case DLT_NULL: return 4;
case DLT_EN10MB: return DLH_EN;
case DLT_IEEE802: return 22;
case DLT_ARCNET: return 4; /* not sure */
case DLT_SLIP: return 16;
case DLT_PPP: return 24;
case DLT_FDDI: return 21;
case DLT_ATM_RFC1483: return 8; /* not sure */
case DLT_RAW: return 0;
#if !defined(__NetBSD__)
case DLT_LOOP: return 4;
case DLT_LINUX_SLL: return 16;
#endif
default:
logwarn("unknown/unsupported PCAP datalink type\n");
return 0;
}
}
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43393A5D-A13B-4385-A6E3-EDD21343277A>