Reputation: 77
Linux Cooked Capture in Packets
What is the use of a Linux cooked capture header? I get this header from a device when I do packet capture on a particular interface.
Upvotes: 3
Views: 6900
Answers (1)
Reputation: 6264
The Linux cooked capture header and the reason for it is probably best described on the Wireshark wiki SLL page, quoted here for convenience:
Linux cooked-mode capture (SLL)
This is the pseudo-protocol used by libpcap on Linux to capture from the "any" device and to capture on some devices where the native link layer header isn't available or can't be used. (For example, the Linux PPP code doesn't reliably supply a PPP header to libpcap - it's usually either absent, meaning that the packet type isn't available, or contains extra random gunk in some but not all packets, as happens on some PPP-over-ISDN interfaces - so the SLL pseudo-link-layer is used on PPP interfaces. It's used on the "any" device because not all interfaces on a machine necessarily have the same link-layer type, but, in order for capture filters to work, all packets on an interface must have the same type of link-layer header.)
When capturing from the "any" device, or from one of those other devices, in Linux, the libpcap doesn't supply the link-layer header for the real "hardware protocol" like Ethernet, but instead supplies a fake link-layer header for this pseudo-protocol.
(For those who are curious, "SLL" stands for "sockaddr_ll"; capturing in "cooked mode" is done by reading from a PF_PACKET/SOCK_DGRAM socket rather than the PF_PACKET/SOCK_RAW socket normally used for capturing. Using SOCK_DGRAM rather than SOCK_RAW means that the Linux socket code doesn't supply the packet's link-layer header. This means that information such as the link-layer protocol's packet type field, if any, isn't available, so libpcap constructs a synthetic link-layer header from the address supplied when it does a recvfrom() on the socket. On PF_PACKET sockets, that address is of type sockaddr_ll, where "ll" presumably stands for "link layer"; the fields in that structure begin with sll_. See the packet(7) man page on a Linux system for more details.)
Upvotes: 6
Related Questions
- Unable to read packets captured from wifi network using wireshark
- Capturing packets using wireshark of an IoT device
- tcpdump and wifi retransmissions
- Where did Wireshark/tcpdump/libpcap intercept packet inside Linux kernel?
- Capture Wifi packets using libpcap
- Setted wireless interface but captures ethernet data
- Wireshark doesn't capture 802.11 data packets
- Capturing data packets in closed LAN
- Packet sniffing with Channel hopping in linux
- Live packet capture on linux