Hi,

I'm thinking about how to do libpcap matching for ARCnet.

The problem is this:

- very few protocols (unformatted diagnostics, deprecated ip and arp, 
  some factory-network control protocols) use off_nl == 3

- real computer protocols (ip, arp, rarp, ipv6, appletalk, ipx, banyan vines)
  use a link level fragmentation header, where

  ll[3] == 0xff && (ll[7] == odd || ll[7] == 0)
	first fragment (with payload header), off_nl == 10

	(actually, on sending, ll[4]==0xff, ll[5] == 0xff, ll[6] is a copy
	of the protocol type in ll[2], but this is not checked when receiving)

  (ll[3] == odd < 0xff || ll[3] == 0)
	first fragment (with payload header), off_nl == 6

  ll[3] == 0xff && ll[7] == even || ll[3] == even 
	nonfirst fragment, no payload matching possible


Did anybody ever have an idea how to handle this? I understand the more
sophisticated Ethernet/FDDI/Tokenring encoding might have variable encodings,
too, but tcpdump/libpcap just assume the most common version?

My unready thoughts

basically two expressions (one for off_nl == 10, one for off_nl == 6) for the 
payload match need to be created, B_ANDed with the right part of the above, 
and B_ORed together. Unfortunately, off_nl is more or less considered to be
static in libpcap.

Regards,
	Ignatios