from tcpdump.org, although with a slightly different signature.
The tcpdump.org version has no way to report an error string back
to the caller. This version takes an additional "errbuf" argument
(similar to pcap_open_*()).
- oldstyle and PHDS IPv4+ARP; RARP, IPv6, Appletalk are matched now.
- in case this is an unfragmented or first-fragment IPv4, IPv6, ARP, RARP or
Appletalk packet, matching inside the payload is possible to the extent
already supported by tcpdump/libpcap. For 2nd and next fragments, this
won't work; it also won't work for oldstyle (RFC1051) IPv4 and ARP.
"tcp" will match both IPv4 TCP and IPv6 TCP.
"ip6" will match IPv6.
you can chase header chain by using "protochain" instead of "proto"
(but bpf code is not optimizable in this case)
commit to tcpdump will follow.
I've sent this fix to LBL guys to get no response. I wonder why it was.
qualifiers are DLT_SLIP and DLT_PPP (i.e. old-style serial encap PPP).
If an attempt to use these qualifiers is used for any other link type,
cause a BPF program compilation error.
Some of the stuff (e.g., rarpd, bootpd, dhcpd etc., libsa) still will
only support Ethernet. Tcpdump itself should be ok, but libpcap needs
lot of work.
For the detailed change history, look at the commit log entries for
the is-newarp branch.
thorpej