Re: bpf writes on tun device

Tue, 07 Jun 2005 13:47:25 -0700 

On Jun 7, 2005, at 3:54 PM, Matthew Luckie wrote:
I'd be wary of changing the definition of DLT_NULL however -- it literally means 'there's nothing here apart from raw data', and changing this notion would mean that we have to change it everywhere, including bpf clients, because the change being proposed would make DLT_NULL mean 'there's a 32-bit integer in front of everything else which is raw data', which is something 
else.



this was the behaviour expected of most DLT_NULL bpf devices  
already (passing a 32bit int when writing).  It is important to  
note that the behaviour of BPF writers does not change in these  
cases, and my patch is merely a bug fix.



Agreed.  When you use BPF or PCAP to capture packets, for the  
DTL_NULL case there is a 4-byte offset between where PCAP says the  
packet starts and where the actual raw IP packet starts.



If you want BPF/PCAP to return packets without the 4-byte offset, the  
associated datalink type is actually called DLT_RAW.  Note that the  
behavior of DLT_NULL is useful in practice, since you can find out  
what the "ether type" of the packet was per <net/ethernet.h>:


#define ETHERTYPE_IP            0x0800  /* IP protocol */
#define ETHERTYPE_ARP           0x0806  /* Addr. resolution protocol */

#define ETHERTYPE_REVARP        0x8035  /* reverse Addr. resolution  
protocol */

#define ETHERTYPE_VLAN          0x8100  /* IEEE 802.1Q VLAN tagging */
#define ETHERTYPE_IPV6          0x86dd  /* IPv6 */
#define ETHERTYPE_LOOPBACK      0x9000  /* used to test interfaces */

...to distinguish between IPv4, IPv6, ARP traffic, and so forth.


I've written some code that needed to do packet capture and run on a  
range of platforms-- FreeBSD, NetBSD, Linux, Darwin, Solaris.   I  
haven't tested all of the datalink types, so I won't promise that the  
offsets below are entirely correct, but this might still be helpful:


/* some platforms define ETHER_HDR_LEN, but not all of them do */
#define DLH_EN (14)

int
datalink_offset(int dltype) {
    switch (dltype) {
      case DLT_NULL:    return 4;
      case DLT_EN10MB:  return DLH_EN;
      case DLT_IEEE802: return 22;
      case DLT_ARCNET:  return 4; /* not sure */
      case DLT_SLIP:    return 16;
      case DLT_PPP:     return 24;
      case DLT_FDDI:    return 21;
      case DLT_ATM_RFC1483: return 8; /* not sure */
      case DLT_RAW:     return 0;
#if !defined(__NetBSD__)
      case DLT_LOOP:    return 4;
      case DLT_LINUX_SLL: return 16;
#endif
      default:
        logwarn("unknown/unsupported PCAP datalink type\n");
        return 0;
    }
}

--
-Chuck

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to