On Mon, Jun 24, 2002 at 09:37:24AM -0500, Beatriz Silva wrote:
> I would like to include the mac destination address in the Linux
> cooked capture .. How can I do that ?
You can't.
A Linux cooked capture is a capture done with a PF_PACKET/SOCK_DGRAM
socket.
In SOCK_DGRAM mode, the link-layer header is *NOT* supplied to the
program reading from the socket - it's stripped off of the packet data.
Therefore, the MAC destination address is not supplied as part of the
packet data.
If you do a "recvfrom()" call to read from the socket - that's what
libpcap does, and Ethereal just uses libpcap to capture packets - you
get the *source* address of the packet, and some other information, but
you do *not* get the destination address of the packet.
If you want the MAC destination address, you will have to capture on a
device that supports "raw-mode" (PF_PACKET/SOCK_RAW) capturing. The
"any" device does not support this, and you cannot get the MAC
destination address when you capture on the "any" device.
> How can I configure what
> information is going to be displayed in the middle pane ?
You can't - the information that's displayed in the middle pane is the
information that's available in the packet, and, when capturing in
cooked mode, the MAC destination address is *NOT* available.
> Is the Linux cooked capture, the equivalent to the Ethernet packets fields ?
No. The link-layer header that's constructed by libpcap when capturing
in cooked mode contains the fields that are shown under "Linux cooked
capture".
