Wireshark-bugs: [Wireshark-bugs] [Bug 10956] Packets on OpenBSD loopback decoded as raw not null
Comment # 1
on bug 10956
from Guy Harris
This is the reason why LINKTYPE_ values were created - various BSDs went off
and picked their own DLT_ values for various purposes, with some numerical
values having different meanings on different BSDs, *and proceeded to stuff
them into files*, which is a horrible horrible horrible horrible horrible
horrible thing to do, as it means that, to understand files using those DLT_
values, you have to know what OS it was created on, *and that's not stored in a
pcap file*.
Sigh.
OpenBSD *SHOULD* put 108, not 12, into the "linktype" field of a loopback pcap
capture's file header or the link-layer type field of a loopback interface's
Interface Description Block in a pcap-ng file. (Its libpcap can, and probably
should, return 12 for files with a link-layer header type of 108, so that
programs expecting DLT_LOOP get it. Other OSes libpcap should return 108, as
12 may mean something else on other OSes:
$ egrep 12 /usr/include/net/bpf.h
* Copyright (c) 2000-2012 Apple Inc. All rights reserved.
...
#define DLT_RAW 12 /* raw IP */
and you'll get different meanings for 12 on other BSD-flavored OSes as well.
Wireshark/TShark, when built on an operating system that defines DLT_LOOP AS
12, should treat files/interfaces with a link-layer header type of 12 as
"loopback" rather than "raw IP".
Wireshark/TShark, when built on an OS that defines something *else* as 12,
should treat files/interfaces with a link-layer header type of 12 as whatever
it's defined as on that operating system; currently, Wireshark, when built on
an OS that either doesn't define DLT_LOOP or doesn't define DLT_LOOP as 12,
treats it as "raw IP", as it should.
So, as "Running on OpenBSD 5.7" strongly suggests "Built on OpenBSD", something
isn't working right. It appears that the code that's checking (at compile
time, obviously) whether the OS defines DLT_LOOP as 12 isn't including
<net/bpf.h>, so DLT_LOOP probably isn't getting defined at all. I though I'd
made it do so a long time ago; perhaps I'm misremembering or perhaps somebody
removed the include because they weren't aware why it was being done.
You are receiving this mail because:
- You are watching all bug changes.