libtrace supports a variety of headers and can properly decode them and use them to find various parts of a packet.

Packet Metadata pseudo headers

These headers are added by the kernel (or capture software) to add additional metadata about a packet.

How to get these headers: trace_get_meta() (libtrace 3.0.4+)
How to skip one of these headers: trace_get_payload_from_meta() (libtrace 3.0.4+)

Linux SLL

This header is added by the linux kernel on variety of capture formats, and can be generated by libtrace internally when interoperating with libpcap. This header most notably contains a simple direction header.

Radio tap

This header is added by drivers when capturing radio frames. These frames contain data such as signal strength of the packet when it was captured.


Libtrace knows enough to skip this header when looking for a higher level protocol, but otherwise generally ignores it.

Layer two (link layer) headers

These are usually the first headers that are actually passed over the wire.

How to get these headers: trace_get_layer2() (libtrace 3.0.4+)
How to skip one of these headers: trace_get_payload_from_layer2() (libtrace 3.0.4+)

Supported headers:

  • 802.11 (aka Wifi)
  • 802.3 (aka Ethernet II)
  • IPv4/IPv6
  • PPP
  • ATM (Note skipping the ATM header skips the LLCSNAP header following it too)

Layer 2.5ish headers

These are headers that sit above layer2, but below layer3.

  • VLAN's
  • QinQ
  • MPLS (The payload type of MPLS is guessed from the first nibble of the payload)

Layer three (Network) headers

How to get these headers: trace_get_layer3()

  • IPv4 (also trace_get_ip(), trace_get_payload_from_ip())
  • IPv6 (also trace_get_ip6(), trace_get_payload_from_ip6())

When skipping IPv4/IPv6 headers, libtrace will skip over an IPv6 header tunnelled an IPv4 packet (as with 6to4).

Transport headers

Protocols that run over IPv4 and IPv6.

How to get these headers: trace_get_transport()

  • TCP (also trace_get_tcp())
  • UDP (also trace_get_udp())
  • ICMP (also trace_get_icmp(), while libtrace can look inside an ICMP packet, it won't skip into one when looking for another header)
Last modified 14 years ago Last modified on 09/07/07 16:37:49