From owner-freebsd-net@FreeBSD.ORG Tue Jun 7 20:47:12 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C279716A41C for ; Tue, 7 Jun 2005 20:47:12 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C9FC43D5D for ; Tue, 7 Jun 2005 20:47:12 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/8.12.11/smtpout01/MantshX 4.0) with ESMTP id j57KlAGI006168; Tue, 7 Jun 2005 13:47:10 -0700 (PDT) Received: from [192.168.1.6] (pool-68-161-53-96.ny325.east.verizon.net [68.161.53.96]) (authenticated bits=0) by mac.com (Xserve/smtpin01/MantshX 4.0) with ESMTP id j57Kl5hg023792; Tue, 7 Jun 2005 13:47:06 -0700 (PDT) In-Reply-To: <42A5FB72.4010603@luckie.org.nz> References: <4295A6CA.8080409@luckie.org.nz> <20050606081637.GA73886@lycra.luckie.org.nz> <20050606120851.GD734@empiric.icir.org> <20050606204008.GA91353@lycra.luckie.org.nz> <20050607101927.GA99034@lycra.luckie.org.nz> <20050607112340.GC812@empiric.icir.org> <42A5FB72.4010603@luckie.org.nz> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <43393A5D-A13B-4385-A6E3-EDD21343277A@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 7 Jun 2005 16:47:02 -0400 To: Matthew Luckie X-Mailer: Apple Mail (2.730) Cc: freebsd-net@freebsd.org Subject: Re: bpf writes on tun device X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2005 20:47:13 -0000 On Jun 7, 2005, at 3:54 PM, Matthew Luckie wrote: >> I'd be wary of changing the definition of DLT_NULL however -- it >> literally >> means 'there's nothing here apart from raw data', and changing >> this notion >> would mean that we have to change it everywhere, including bpf >> clients, >> because the change being proposed would make DLT_NULL mean >> 'there's a 32-bit >> integer in front of everything else which is raw data', which is >> something >> else. > > this was the behaviour expected of most DLT_NULL bpf devices > already (passing a 32bit int when writing). It is important to > note that the behaviour of BPF writers does not change in these > cases, and my patch is merely a bug fix. Agreed. When you use BPF or PCAP to capture packets, for the DTL_NULL case there is a 4-byte offset between where PCAP says the packet starts and where the actual raw IP packet starts. If you want BPF/PCAP to return packets without the 4-byte offset, the associated datalink type is actually called DLT_RAW. Note that the behavior of DLT_NULL is useful in practice, since you can find out what the "ether type" of the packet was per : #define ETHERTYPE_IP 0x0800 /* IP protocol */ #define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */ #define ETHERTYPE_REVARP 0x8035 /* reverse Addr. resolution protocol */ #define ETHERTYPE_VLAN 0x8100 /* IEEE 802.1Q VLAN tagging */ #define ETHERTYPE_IPV6 0x86dd /* IPv6 */ #define ETHERTYPE_LOOPBACK 0x9000 /* used to test interfaces */ ...to distinguish between IPv4, IPv6, ARP traffic, and so forth. I've written some code that needed to do packet capture and run on a range of platforms-- FreeBSD, NetBSD, Linux, Darwin, Solaris. I haven't tested all of the datalink types, so I won't promise that the offsets below are entirely correct, but this might still be helpful: /* some platforms define ETHER_HDR_LEN, but not all of them do */ #define DLH_EN (14) int datalink_offset(int dltype) { switch (dltype) { case DLT_NULL: return 4; case DLT_EN10MB: return DLH_EN; case DLT_IEEE802: return 22; case DLT_ARCNET: return 4; /* not sure */ case DLT_SLIP: return 16; case DLT_PPP: return 24; case DLT_FDDI: return 21; case DLT_ATM_RFC1483: return 8; /* not sure */ case DLT_RAW: return 0; #if !defined(__NetBSD__) case DLT_LOOP: return 4; case DLT_LINUX_SLL: return 16; #endif default: logwarn("unknown/unsupported PCAP datalink type\n"); return 0; } } -- -Chuck