This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What does SLL stand for (as in the context of Linux “cooked” headers)?

0

What does SLL stand for? On the Wireshark SLL wiki page, it states that,

For those who are curious, "SLL" stands for "sockaddr_ll"", but then goes on to say:

This means that information such as the link-layer protocol's packet type field, if any, isn't available, so libpcap constructs a synthetic link-layer [emphasis added] header from the address supplied when it does a recvfrom() on the socket.

In any case, if it does stand for "sockaddr_ll", is there an actual reference somewhere to corroborate that? And here, the "ll" presumably stands for "Link Layer", would that be correct?

I was thinking that "Synthetic Link-Layer", "Synthesized Link-Layer", or possibly even "Substitue[d] Link-Layer" might be more likely, but I can't find any real definition anywhere. Even in the Linux "sll.h" header file, it doesn't specifically mention it, only that it, "... is derived from the Stanford/CMU enet packet filter, (net/enet.c) distributed as part of 4.3BSD, ..."

I am interested in order to possibly update some Wireshark documentation.

asked 12 Sep '13, 12:47

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

is derived from the Stanford/CMU enet packet filter, (net/enet.c) distributed as part of 4.3BSD, ..."

That was me, copying and pasting the standard copyright notice from bpf.h; that particular part really didn't belong in sll.h (or ipnet.h).

(13 Sep '13, 17:58) Guy Harris ♦♦

One Answer:

0

"SLL" stands for "sockaddr_ll""
In any case, if it does stand for "sockaddr_ll", is there an actual reference somewhere to corroborate that?

I guess that's because of the definition of sockaddr_ll in the Linux kernel.

http://kerneldox.com/kdox-linux/d8/d92/if__packet_8h_source.html

struct sockaddr_ll {
         unsigned short  sll_family;
         __be16          sll_protocol;
         int             sll_ifindex;
         unsigned short  sll_hatype;
         unsigned char   sll_pkttype;
         unsigned char   sll_halen;
         unsigned char   sll_addr[8];
};

And here, the "ll" presumably stands for "Link Layer", would that be correct?

I would say yes, although there is no clear reference in the kernel code from 'll' to "Link Layer". But in the context where is defined, it makes sense.

However: In the man page of packet(7), it is referenced as "Link Level".

http://linux.die.net/man/7/packet

The link level header information is available in a common format in a sockaddr_ll. protocol is the

Link Layer or Link Level? I would vote for Link Layer, as that's a pretty common term.

Let's wait what the libpcap hackers have to say ;-))

Regards
Kurt

answered 12 Sep '13, 13:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Sep '13, 14:07

Thanks for your reply, Kurt. I guess I'll just leave it as "SLL" without any further elaboration.

(13 Sep '13, 08:33) cmaynard ♦♦

I guess, for the 'regular' user it is not that important to know where the SLL acronym originated from.

The explanation in the Wiki is good enough, to understand what cooked mode is and why/where it is needed.

(14 Sep '13, 04:29) Kurt Knochner ♦

Well, I was thinking that it might be nice to document it in the Wireshark packet details pane and status line so it would be more obvious to users who, for example, might want to apply an "sll*" filter. In that way, they would have a better idea as to why it's "sll" instead of something like, "lcc" for "Linux cooked capture".

(14 Sep '13, 16:07) cmaynard ♦♦