DLT_LINUX_SLL and DLT_LINUX_SLL2 are libpcap link-types for fake link-layer headers used when capturing packets on Linux with PF_PACKET (which happens if you run tcpdump -i any).
The difference between the versions is a slightly modified header/struct and link-type number. Zeek currently understands version 1. I'm working on https://github.com/zeek/zeek/pull/2340 which adds support for reading version 2 PCAP files.
Libpcap only added DLT_LINUX_SLL2 support in version 1.10.0.
On @timwoj's suggestion, this PR has DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2 set by cmake allows for conditionally compiling in a check/abort when trying to read this type of file with an older libpcap (i.e., Ubuntu <= 18, Debian <= 10, Centos <= 7). The btest case added in https://github.com/zeek/zeek/pull/2340 also tests for DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2 in zeek-config.h and skips the test on those platforms.
DLT_LINUX_SLLandDLT_LINUX_SLL2are libpcap link-types for fake link-layer headers used when capturing packets on Linux withPF_PACKET(which happens if you runtcpdump -i any).The difference between the versions is a slightly modified header/struct and link-type number. Zeek currently understands version 1. I'm working on https://github.com/zeek/zeek/pull/2340 which adds support for reading version 2 PCAP files.
Libpcap only added
DLT_LINUX_SLL2support in version 1.10.0.On @timwoj's suggestion, this PR has
DONT_HAVE_LIBPCAP_DLT_LINUX_SLL2set by cmake allows for conditionally compiling in a check/abort when trying to read this type of file with an older libpcap (i.e., Ubuntu <= 18, Debian <= 10, Centos <= 7). Thebtestcase added in https://github.com/zeek/zeek/pull/2340 also tests forDONT_HAVE_LIBPCAP_DLT_LINUX_SLL2inzeek-config.hand skips the test on those platforms.