Ok, thanks.
The reason I ask is I'm writing wiretap support for the Firestorm NIDS
(http://www.scaramanga.co.uk/firestorm) alert log which dumps out the
sll layer too. I have an "Alert" dissector first, so I need to call the
sll dissector rather than just set the encap whilst reading.
Firestorm uses an mmapped packet socket for capture, so the sll
structure is different too (tpacket_hdr + alignment + sockaddr_ll +
alignment). Bit of a pain really as I've had to mod packet-sll to
detect this and act accordingly.
I may just check the ethertype inside the sll in my alert handler and
jump directly to ether. Unless somebody thinks mmapped packet socket
sll support would be useful? (I'm not sure where else this would crop
up) It might be nice to be able to capture using this method... has
anybody thought about this before?
~John.
On Thu, 2003-02-13 at 01:00, Guy Harris wrote:
> On Thu, Feb 13, 2003 at 12:30:44AM +0000, John Leach wrote:
> > can anybody tell me why the sll dissector isn't registered using the
> > register_dissector() function, and therefore can't be found by
> > find_dissector() ?
>
> Because nobody has yet given any reason why any other dissector would
> *want* to find it. The Linux SLL header is a top-level link-layer
> header, so there's no reason to expect that a packet with that header
> would be encapsulated inside another packet.
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
--
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
HTTP: http://www.johnleach.co.uk
Attachment:
signature.asc
Description: This is a digitally signed message part