Determine the layer of a packet in a pcap file created by tcpdump

Question

I was reading through the libpcap tutorial and was using some captures that I want to analyze (I didn't create them myself), so I am using the offline mode.

When applying the tutorial, nothing seemed to match. I didn't get valid MAC addresses from the ethernet frame and not even the preamble seemed to be correct. After some expirementing I fired up wireshark and noticed something odd. Each packet start with a 6: These are not packets on the ethernet (data link) layer, they are already one layer up on the IP (network) layer (They are IPv6 packets, which is expected).

Of course, I can now easily continue, but I am still wondering: How do I know at which layer the captured packages are? It seems there are at least two options: Saving at the data link layer and saving at the network layer. Could it also be that I receive packets on the transport layer? How do I differentiate? Must the user tell me? I'd really hate to have to guess, but seeing as wireshark gets it right, there must be a simple way to determine it.

Answer 1

The libpcap file format has a field in its global header called network that specifies the data link type. This corresponds to documentation over at the tcpdump project about various Link-Layer Header Types.

From there, you would be able to determine how many bytes the link layer consists (if any) and will be a sure fire way for you to parse pcap files created with the libpcap library.

I am not aware of a program options in the "libpcap family" that would allow you to just capture starting at the transport layer.