Hi Selçuk, if you're doing anything involving multiple link types and Wireshark/dumpcap, you'll want to check out the enhanced pcap-ng file format support in the latest SVN versions of Wireshark. So it seems, mergecap doesn't support merging multiple link-layer types in pcap-ng files yet, although as a workaround, you can concatenate the files (dumped with dumpcap -n) in order of date/time created, and receive a usable result.
Otherwise, if you ended up with a "cooked" capture file (as produced by capturing on the Linux "any" pseudo-device), you'll only get useful data from some of the packets.
As with the pcap file format, I believe that the pcap_* APIs only let you work with one link-layer type at a time, although others are free to correct me on that, since I haven't worked with them directly.
I hope that helps,
Tyson.
On Fri, May 29, 2009 at 1:23 PM, Selçuk Cevher
<cevhers@xxxxxxxxx> wrote:
Hi Everybody,
First of all, I am not sure if this is the right place to ask this question.
How can I determine the protocol running on data link layer (i.e., Ethernet, Wi-Fi 802.11, etc) while analyzing packets in a "merged" dumped file with pcap format if the pcap file contains a mixture of packets with various data link layer protocols ?
libpcap has pcap_datalink(...) function allowing us to determine the data link layer protocol for live capture -- it gets this information directly from the actual network interface that is sniffed on.
However, in the case of offline analysis, it seems pcap_datalink() will not work since it is not possible to know what kind of interface those packets came from.
Any idea ?
Thanks.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
--
Fight Internet Censorship!
http://www.eff.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105