Hello Laurent, On 24 juillet 2014 15:24:43 CEST, Laurent Parenteau <laurent.parenteau@xxxxxxxxx> wrote: >Hi, > >I have recently used ulogd2 & netfilter to capture some traffic and >create a pcap file. > >In the resulting pcap file, there is no link-layer information. >Everything else is pretty much the same as what I get from a tcpdump >capture; the only missing information is the link-layer (layer 2) >information. > >In wireshark, that missing information is displayed as a "Raw packet >data" section, with the content being "No link information available". >That sits between the Frame information and the IPv4 information. > >So my question is, is it possible to capture the link-layer (layer 2) >information as well using ulogd2 & netfilter, or is this a limitation >of the tools? Ulogd2 has to handle the generic case: logged packets can come from multiple interfaces and encapsulation can vary on these different interfaces. So logging raw data is the only setup that will always work in ulogd2 case. A possible solution would be to add an option to use pcapng storage format (when libpcap is recent enough on system). This should allow to specify the layer 2 interface for each packets. I'm currently away from a computer with wireshark so I don't know how I can test if it does handle correctly this type of files. Another solution would be to add an options forcing the layer2 type for all logged packets of given pcap output. This would allow to use kernel provided layer2 information and write fully qualified packets for encapsulation like Ethernet. This second solution looks far easier to implement and should be enough for you. Feel free to open a ticket on bugzilla if you are interested in that. BR, > >Thanks, >Laurent >-- >To unsubscribe from this list: send the line "unsubscribe netfilter" in >the body of a message to majordomo@xxxxxxxxxxxxxxx >More majordomo info at http://vger.kernel.org/majordomo-info.html -- Envoyé de mon téléphone Android avec K-9 Mail. Excusez la brièveté. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
