Matias Freytes wrote: > > > 3) I also need to "capture" full 802.3 encapsulated IP frames > > > from my LAN and save them to a file. I' ve read about ether taps > > > and packet sockets. What should I use? This is for a group of > > > students who want to play a little bit with "frame decoding". I'd > > > like to get > > > > You can use "tcpdump -i eth0 -s 1518 -w <filename> ...". If you want > > to do it yourself, you can use libpcap (as used by tcpdump), or create > > a PF_PACKET socket (as used by libpcap); see the packet(7) manpage. > > Does 'tcpdump -i eth0 -s 1518 - w output_file' write "802.3 (as > in RFC1042) + IP_header + UDP/TCP_header + payload" to > "output_file"? Is this BIG_ENDIAN or LITTLE_ENDIAN? I tried to > read it in hex, but didn't succeed at it. OK; it seems that newer versions of tcpdump store the data in a more complex format. Older versions just wrote the raw packet data (plus a timestamp) as fixed size blocks. I guess that you'll have to use libpcap or a packet socket (or find an older version of tcpdump). -- Glynn Clements <glynn.clements@virgin.net> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
