Project

General

Profile

Actions
Copy link

Bug #6954

closed
VJ JL

eve: packet field packet_info.linktype is non-portable

Bug #6954: eve: packet field packet_info.linktype is non-portable

Added by Victor Julien about 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

This field holds a numeric representation of the linktype/datalink, but this number can differ between operating systems. Most notably DLT_RAW is has value 12 on linux and 14 on OpenBSD.

It would probably be best to use a string representation. Following capinfos might make sense:

File encapsulation:  Raw IP

Interface #0 info:
                     Encapsulation = Raw IP (7 - rawip)

Could do "Raw IP" or follow the "rawip" notation.

Regardless this should be in a new field.

JL Updated by Jeff Lucovsky almost 2 years ago Actions
Copy link
 #1

A simple solution would use the interface pcap_datalink_val_to_name to get the display name for the datalink value.

JL Updated by Jeff Lucovsky almost 2 years ago ยท Edited Actions
Copy link
 #2

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jeff Lucovsky

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #3

  • Target version changed from TBD to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #4

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom