When i read the man page of tcpdump it says that if we use -e option with it it will print link-level headers.
-e Print the link-level header on each dump line.

What do we exactly mean by link level header?

When i used it, it printed something like:


13:48:48.993388 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.145918 0:d:28:73:bd:85 0:d:28:73:bd:85 loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
13:48:49.211845 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211874 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211879 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211884 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211895 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.211910 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.233395 0:d:60:6a:71:91 Broadcast arp 60: arp who-has 10.20.81.230 tell 10.20.81.70
13:48:49.254576 0:10:b5:aa:29:ee Broadcast ip 92: 10.20.81.187.netbios-ns > 10.20.81.255.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:48:49.272867 0:d:28:73:bd:85 1:80:c2:0:0:0 0026 60: 802.1d ui/C
>>> IPX transport Data: (107 bytes)
[000] 00 00 00 00 00 80 00 00 02 B9 C9 96 C0 00 00 0C ........ ........
[010] 39 C0 01 00 0D 28 73 BD 80 80 05 03 00 14 00 02 9....(s. ........
[020] 00 0F 00 00 00 00 00 00 00 00 00 49 45 50 45 4E ........ ...IEPEN
[030] 45 46 43 41 43 41 43 41 43 41 43 41 43 41 43 41 EFCACACA CACACACA
[040] 43 41 43 41 42 4C 00 00 20 00 01 C0 0C 00 20 00 CACABL.. ..... .
[050] 01 00 04 93 E0 00 06 80 00 0A 14 51 D1 41 43 41 ........ ...Q.ACA
[060] 43 41 43 41 43 41 43 41 42 4E 00 CACACACA BN.

SMB PACKET: SMBtrans (REQUEST)

len=43
13:48:49.303764 0:7:95:16:59:16 Broadcast 0026 60: sap e0 ui/C
>>> IPX transport Data: (107 bytes)
[000] FF FF 00 22 00 00 00 00 00 00 FF FF FF FF FF FF ...".... ........
[010] 04 52 00 00 00 00 00 07 95 16 59 16 40 00 00 03 .R...... ..Y.@...
[020] 00 04 00 20 20 20 20 20 20 20 20 49 45 50 45 4E ... IEPEN
[030] 45 46 43 41 43 41 43 41 43 41 43 41 43 41 43 41 EFCACACA CACACACA
[040] 43 41 43 41 42 4C 00 00 20 00 01 C0 0C 00 20 00 CACABL.. ..... .
[050] 01 00 04 93 E0 00 06 80 00 0A 14 51 D1 41 43 41 ........ ...Q.ACA
[060] 43 41 43 41 43 41 43 41 42 4E 00 CACACACA BN.

SMB PACKET: SMBtrans (REQUEST)

len=43
13:48:49.321207 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.321236 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.321241 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34
13:48:49.321246 0:9:6b:99:3f:74 Broadcast arp 60: arp who-has 10.20.81.100 tell 10.20.81.34


Plz tell can we print this directly by using any function from pcap library?

plz help

Thanks in advance.

What do we exactly mean by link level header?

Include OSI layer 2 info (like MAC addresses) in tcpdump output.

Plz tell can we print this directly by using any function from pcap library?

I don't really know about the pcap library functions, but I do print interesting packets from packet captures on a daily basis using ethereal; which uses the same pcap library as tcpdump.