Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In the system I am testing right now, it has a couple of virtual L2 devices chained together to add our own L2.5 headers between Eth headers and IP headers. Now when I use
tcpdump -xx -i vir_device_1
, it actually shows the SLL header with IP header. How do I capture the full packet that is actually going out of the vir_device_1, i.e. after the ndo_start_xmit() device call?
Either by writing your own code to directly use a PF_PACKET/SOCK_RAW socket (you say “SLL header”, so this is presumably Linux), or by:
ARPHRD_value for your virtual interface;DLT_USERn values for your special set of headers, or asking tcpdump-workers@lists.tcpdump.org for an officialDLT_value to be assigned for them;ARPHRD_value to theDLT_value you’re using;DLT_value;Note that the
DLT_USERn values are specifically reserved for private use, and no official versions of libpcap, tcpdump, or Wireshark will ever assign them for their own use (i.e., if you use aDLT_USERn value, don’t bother contributing patches to assign that value to your type of headers, as they won’t be accepted; other people may already be using it for their own special headers, and that must continue to be supported), so you’ll have to maintain the modified versions of libpcap, tcpdump, etc. yourself if you use one of those values rather than getting an official value assigned.