On Nov 26, 2014, at 8:18 PM, Anil <anilkumar...@gmail.com> wrote: > Hi, > > During packet capture, I want to log additional data other than what's in the > ethernet packet and the per packet pcap header. So, I have created a custom > header and am logging additional information into this. > > I have modified pcap_to_wtap_map[] to add another mapping to add another > link type.
And you registered the LINKTYPE_ value that you're using as an index into that array with tcpdump-work...@lists.tcpdump.org, right? As the comment before that array says: /* * Map link-layer header types (LINKTYPE_ values) to Wiretap encapsulations. * * Either LBL NRG wasn't an adequate central registry (e.g., because of * the slow rate of releases from them), or nobody bothered using them * as a central registry, as many different groups have patched libpcap * (and BPF, on the BSDs) to add new encapsulation types, and have ended * up using the same DLT_ values for different encapsulation types. * * The Tcpdump Group now maintains the list of link-layer header types; * they introduced a separate namespace of LINKTYPE_ values for the * values to be used in capture files, and have libpcap map between * those values in capture file headers and the DLT_ values that the * pcap_datalink() and pcap_open_dead() APIs use. See * http://www.tcpdump.org/linktypes.html for a list of LINKTYPE_ values. * * In most cases, the corresponding LINKTYPE_ and DLT_ values are the * same. In the cases where the same link-layer header type was given * different values in different OSes, a new LINKTYPE_ value was defined, * different from all of the existing DLT_ values. * * This table maps LINKTYPE_ values to the corresponding Wiretap * encapsulation. For cases where multiple DLT_ values were in use, * it also checks what <pcap.h> defineds to determine how to interpret * them, so that if a file was written by a version of libpcap prior * to the introduction of the LINKTYPE_ values, and has a DLT_ value * from the OS on which it was written rather than a LINKTYPE_ value * as its linktype value in the file header, we map the numerical * DLT_ value, as interpreted by the libpcap with which we're building * Wireshark/Wiretap interprets them (which, if it doesn't support * them at all, means we don't support them either - any capture files * using them are foreign, and we don't hazard a guess as to which * platform they came from; we could, I guess, choose the most likely * platform), to the corresponding Wiretap encapsulation. * * Note: if you need a new encapsulation type for libpcap files, do * *N*O*T* use *ANY* of the values listed here! I.e., do *NOT* * add a new encapsulation type by changing an existing entry; * leave the existing entries alone. * * Instead, send mail to tcpdump-work...@lists.tcpdump.org, asking for * a new LINKTYPE_/DLT_ value, and specifying the purpose of the new * value. When you get the new LINKTYPE_/DLT_ value, use that numerical * value in the "linktype_value" field of "pcap_to_wtap_map[]". */ If you do not request a value from tcpdum-work...@lists.tcpdump.org, but instead choose your own value, none of your changes to Wireshark adding that value will ever be accepted. You ***MUST*** first get an official value. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
