Reference:
Http://www.cnblogs.com/caoguoping100/p/3654452.html
Https://wiki.wireshark.org/NullLoopback
Grab the package to install the terminal terminal and enter the command.
Tcpdump-i pdp_ip0-s 0-w Pdp.pcap obtained the message, found there loopback.
Pdp_ip0 is 3g/4g under the network card, get the message directly loopback layer. Puzzled?
Attached Wireshark analysis
Null/loopback (Null)
the "null" protocol is the Link-layer protocol used on the loopback device in most BSD operating system S. It is somewhat misnamed, in the the Link-layer header isn ' t "null" in the sense that there isn ' t any Link-layer header ; Instead, the Link-layer header is a 4-byte integer, and the native byte order of the machine on which the traffic Ed, containing an "address family"/"protocol Family" value for the protocol running atop the link layer, for example af_in ET for IPv4 and Af_inet6 for IPV6. Af_inet is 2 on all bsd-based operating systems, as it's introduced at the same time the BSD versions with networking we Re released; However, Af_inet6, unfortunately, had different values in {Netbsd,openbsd,bsd/os}, {Freebsd,dragonflybsd}, and {darwin/ Mac OS X}, so an IPV6 packet might has a link-layer header with a, or as the af_ value.
The byte order is, and the host on which the packet were captured, so the dissector have to being able to handle both Big-en Dian and Little-endian values.
The "loopback" protocol is used by recent versions of OpenBSD; It's the same as the "NULL" protocol, except that the 4-byte af_ value was in network byte order (Big-endian) rather than h OST byte order.
History
The "null" protocol dates back to the original BPF implementation on BSD.
Protocol dependencies
The "null" and "loopback" protocols is the lowest software layers, so they only depend on the implementation of the LOOPB ACK device.
Example Traffic
Null/loopback (Null)