Subject: Re: tcpflow vs. lo0 on 2.0_BETA
To: Jun-ichiro itojun Hagino <>
From: Curt Sampson <>
List: tech-net
Date: 08/19/2004 16:45:05
On Thu, 19 Aug 2004, Jun-ichiro itojun Hagino wrote:

> > I'm having a lot of trouble with the pkgsrc tcpflow on NetBSD 2.0_BETA
> > when sniffing lo0. It works fine on my ethernet card, but with lo0 I
> > just get this (with -v):
> 	check if tcpflow supports non-ethernet interface.  my guess is that
> 	tcpflow supports ethernet frames, and not bpf encoding for lo0
> 	(4-byte address family).

I shoulda looked at the source right off.

Could it be we have to define DLT_NULL_BROKEN? Or there's a bug with this
in NetBSD? See the code fragment below, from the begining of dlheader.c.

Curt Sampson  <>   +81 90 7737 2974
    Don't you know, in this new Dark Age, we're all light.  --XTC

/* The DLT_NULL packet header is 4 bytes long. It contains a network
 * order 32 bit integer that specifies the family, e.g. AF_INET.
 * DLT_NULL is used by the localhost interface. */
#define NULL_HDRLEN 4

void dl_null(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
  u_int caplen = h->caplen;
  u_int length = h->len;
  u_int family;

  if (length != caplen) {
    DEBUG(6) ("warning: only captured %d bytes of %d byte null frame",
          caplen, length);

  if (caplen < NULL_HDRLEN) {
    DEBUG(6) ("warning: received incomplete null frame");

  /* One of the symptoms of a broken DLT_NULL is that this value is
   * not set correctly, so we don't check for it -- instead, just
   * assume everything is IP.  --JE 20 April 1999*/
  /* make sure this is AF_INET */
  memcpy((char *)&family, (char *)p, sizeof(family));
  family = ntohl(family);
  if (family != AF_INET) {
    DEBUG(6) ("warning: received non-AF_INET null frame (type %d)", family);

  process_ip(p + NULL_HDRLEN, caplen - NULL_HDRLEN);