diff --git a/Makefile.am b/Makefile.am
index 2d1e8341df..ad9dfe5419 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 # Makefile.am
 # Automake file for Ethereal
 #
-# $Id: Makefile.am,v 1.260 2000/12/22 15:55:36 nneul Exp $
+# $Id: Makefile.am,v 1.261 2000/12/23 08:06:14 guy Exp $
 #
 # Ethereal - Network traffic analyzer
 # By Gerald Combs <gerald@zing.org>
@@ -139,6 +139,7 @@ DISSECTOR_SOURCES = \
 	packet-sctp.c   \
 	packet-sdp.c   \
 	packet-sip.c   \
+	packet-sll.c   \
 	packet-smb.c   \
 	packet-smb-browse.c \
 	packet-smb-common.c \
diff --git a/Makefile.nmake b/Makefile.nmake
index c6a5fd9d25..32fb889d41 100644
--- a/Makefile.nmake
+++ b/Makefile.nmake
@@ -1,7 +1,7 @@
 ## Makefile for building ethereal.exe with Microsoft C and nmake
 ## Use: nmake -f makefile.nmake
 #
-# $Id: Makefile.nmake,v 1.68 2000/12/17 07:38:14 guy Exp $
+# $Id: Makefile.nmake,v 1.69 2000/12/23 08:06:14 guy Exp $
 
 include config.nmake
 
@@ -126,6 +126,7 @@ DISSECTOR_SOURCES = \
 	packet-sctp.c   \
 	packet-sdp.c   \
 	packet-sip.c   \
+	packet-sll.c   \
 	packet-smb.c   \
 	packet-smb-browse.c \
 	packet-smb-common.c \
diff --git a/packet-bpdu.c b/packet-bpdu.c
index cc05498365..083f993518 100644
--- a/packet-bpdu.c
+++ b/packet-bpdu.c
@@ -1,7 +1,7 @@
 /* packet-bpdu.c
  * Routines for BPDU (Spanning Tree Protocol) disassembly
  *
- * $Id: packet-bpdu.c,v 1.16 2000/11/30 09:31:50 guy Exp $
+ * $Id: packet-bpdu.c,v 1.17 2000/12/23 08:06:14 guy Exp $
  *
  * Copyright 1999 Christophe Tronche <ch.tronche@computer.org>
  * 
@@ -107,8 +107,13 @@ dissect_bpdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
          BPDU frames.  
          Fortunately, they can be recognized by checking the first 6 octets
          of the destination address, which are in the range from
-         01-80-C2-00-00-20 to 01-80-C2-00-00-2F. */
-      if (pinfo->dl_dst.data[0] == 0x01 && pinfo->dl_dst.data[1] == 0x80 &&
+         01-80-C2-00-00-20 to 01-80-C2-00-00-2F.
+
+	 Yes - we *do* need to check the destination address type;
+	 on Linux cooked captures, there *is* no destination address,
+	 so it's AT_NONE. */
+      if (pinfo->dl_dst.type == AT_ETHER &&
+	  pinfo->dl_dst.data[0] == 0x01 && pinfo->dl_dst.data[1] == 0x80 &&
 	  pinfo->dl_dst.data[2] == 0xC2 && pinfo->dl_dst.data[3] == 0x00 &&
 	  pinfo->dl_dst.data[4] == 0x00 && ((pinfo->dl_dst.data[5] & 0x20) == 0x20)) {
 
diff --git a/packet-sll.c b/packet-sll.c
new file mode 100644
index 0000000000..dd5425046a
--- /dev/null
+++ b/packet-sll.c
@@ -0,0 +1,316 @@
+/* packet-sll.c
+ * Routines for disassembly of packets from Linux "cooked mode" captures
+ *
+ * $Id: packet-sll.c,v 1.1 2000/12/23 08:06:14 guy Exp $
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@zing.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <glib.h>
+#include "packet.h"
+#include "packet-ipx.h"
+#include "packet-llc.h"
+#include "resolv.h"
+
+static int proto_sll = -1;
+static int hf_sll_pkttype = -1;
+static int hf_sll_hatype = -1;
+static int hf_sll_halen = -1;
+static int hf_sll_src_eth = -1;
+static int hf_sll_src_other = -1;
+static int hf_sll_ltype = -1;
+static int hf_sll_etype = -1;
+static int hf_sll_trailer = -1;
+
+static gint ett_sll = -1;
+
+/*
+ * A DLT_LINUX_SLL fake link-layer header.
+ */
+#define SLL_HEADER_SIZE	16		/* total header length */
+#define SLL_ADDRLEN	8		/* length of address field */
+
+/*
+ * The LINUX_SLL_ values for "sll_pkttype".
+ */
+#define LINUX_SLL_HOST		0
+#define LINUX_SLL_BROADCAST	1
+#define LINUX_SLL_MULTICAST	2
+#define LINUX_SLL_OTHERHOST	3
+#define LINUX_SLL_OUTGOING	4
+
+static const value_string packet_type_vals[] = {
+	{ LINUX_SLL_HOST,	"Unicast to us" },
+	{ LINUX_SLL_BROADCAST,	"Broadcast" },
+	{ LINUX_SLL_MULTICAST,	"Multicast" },
+	{ LINUX_SLL_OTHERHOST,	"Unicast to another host" },
+	{ LINUX_SLL_OUTGOING,	"Sent by us" },
+	{ 0,			NULL }
+};
+
+/*
+ * The LINUX_SLL_ values for "sll_protocol".
+ */
+#define LINUX_SLL_P_802_3	0x0001	/* Novell 802.3 frames without 802.2 LLC header */
+#define LINUX_SLL_P_802_2	0x0004	/* 802.2 frames (not D/I/X Ethernet) */
+
+static const value_string ltype_vals[] = {
+	{ LINUX_SLL_P_802_3,	"Raw 802.3" },
+	{ LINUX_SLL_P_802_2,	"802.2 LLC" },
+	{ 0,			NULL }
+};
+
+void
+capture_sll(const u_char *pd, packet_counts *ld)
+{
+	guint16 protocol;
+
+	if (!BYTES_ARE_IN_FRAME(0, SLL_HEADER_SIZE)) {
+		ld->other++;
+		return;
+	}
+	protocol = pntohs(&pd[14]);
+	if (protocol <= 1536) {	/* yes, 1536 - that's how Linux does it */
+		/*
+		 * "proto" is *not* a length field, it's a Linux internal
+		 * protocol type.
+		 */
+		switch (protocol) {
+
+		case LINUX_SLL_P_802_2:
+			/*
+			 * 802.2 LLC.
+			 */
+			capture_llc(pd, SLL_HEADER_SIZE, ld);
+			break;
+
+		case LINUX_SLL_P_802_3:
+			/*
+			 * Novell IPX inside 802.3 with no 802.2 LLC
+			 * header.
+			 */
+			capture_ipx(pd, SLL_HEADER_SIZE, ld);
+			break;
+
+		default:
+			ld->other++;
+			break;
+		}
+	} else
+		capture_ethertype(protocol, SLL_HEADER_SIZE, pd, ld);
+}
+
+static void
+dissect_sll(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+	guint16 pkttype;
+	guint16 protocol;
+	guint16 hatype, halen;
+	guint8 *src;
+	proto_item *ti;
+	volatile guint16 length;
+	tvbuff_t *volatile next_tvb;
+	tvbuff_t *volatile trailer_tvb;
+	proto_tree *volatile fh_tree = NULL;
+	guint length_before;
+
+	CHECK_DISPLAY_AS_DATA(proto_sll, tvb, pinfo, tree);
+
+	pinfo->current_proto = "SLL";
+	if (check_col(pinfo->fd, COL_PROTOCOL))
+		col_set_str(pinfo->fd, COL_PROTOCOL, "SLL");
+
+	pkttype = tvb_get_ntohs(tvb, 0);
+
+	if (check_col(pinfo->fd, COL_INFO))
+		col_add_str(pinfo->fd, COL_INFO,
+		    val_to_str(pkttype, packet_type_vals, "Unknown (%u)"));
+
+	if (tree) {
+		ti = proto_tree_add_protocol_format(tree, proto_sll, tvb, 0,
+		    SLL_HEADER_SIZE, "Linux cooked capture");
+		fh_tree = proto_item_add_subtree(ti, ett_sll);
+		proto_tree_add_item(fh_tree, hf_sll_pkttype, tvb, 0, 2, FALSE);
+	}
+
+	/*
+	 * XXX - check the link-layer address type value?
+	 * For now, we just assume 6 means Ethernet.
+	 */
+	hatype = tvb_get_ntohs(tvb, 2);
+	halen = tvb_get_ntohs(tvb, 4);
+	if (tree) {
+		proto_tree_add_uint(fh_tree, hf_sll_hatype, tvb, 2, 2, hatype);
+		proto_tree_add_uint(fh_tree, hf_sll_halen, tvb, 4, 2, halen);
+	}
+	if (halen == 6) {
+		src = tvb_get_ptr(tvb, 6, 6);
+		SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
+		SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
+		if (tree) {
+			proto_tree_add_ether(fh_tree, hf_sll_src_eth, tvb,
+			    6, 6, src);
+		}
+	} else {
+		if (tree) {
+			proto_tree_add_bytes(fh_tree, hf_sll_src_other, tvb,
+			    6, halen, tvb_get_ptr(tvb, 6, halen));
+		}
+	}
+
+	protocol = tvb_get_ntohs(tvb, 14);
+	if (protocol <= 1536) {	/* yes, 1536 - that's how Linux does it */
+		/*
+		 * "proto" is *not* a length field, it's a Linux internal
+		 * protocol type.
+		 * We therefore cannot say how much of the packet will
+		 * be trailer data.
+		 * XXX - do the same thing we do for packets with Ethertypes?
+		 */
+		proto_tree_add_uint(fh_tree, hf_sll_ltype, tvb, 14, 2,
+		    protocol);
+
+		next_tvb = tvb_new_subset(tvb, SLL_HEADER_SIZE, -1, -1);
+		trailer_tvb = NULL;
+		switch (protocol) {
+
+		case LINUX_SLL_P_802_2:
+			/*
+			 * 802.2 LLC.
+			 */
+			dissect_llc(next_tvb, pinfo, tree);
+			break;
+
+		case LINUX_SLL_P_802_3:
+			/*
+			 * Novell IPX inside 802.3 with no 802.2 LLC
+			 * header.
+			 */
+			dissect_ipx(next_tvb, pinfo, tree);
+			break;
+
+		default:
+			dissect_data(next_tvb, 0, pinfo, tree);
+			break;
+		}
+	} else {
+		length_before = tvb_reported_length(tvb);
+		length = ethertype(protocol, tvb, SLL_HEADER_SIZE, pinfo, tree,
+		    fh_tree, hf_sll_etype) + SLL_HEADER_SIZE;
+		if (length < length_before) {
+			/*
+			 * Create a tvbuff for the padding.
+			 */
+			TRY {
+				trailer_tvb = tvb_new_subset(tvb, length, -1,
+				    -1);
+			}
+			CATCH2(BoundsError, ReportedBoundsError) {
+				/* The packet doesn't have "length" bytes
+				   worth of captured data left in it.  No
+				   trailer to display. */
+				trailer_tvb = NULL;
+			}
+			ENDTRY;
+		} else {
+			/*
+			 * There is no padding.
+			 */
+			trailer_tvb = NULL;
+		}
+	}
+
+	/* If there's some bytes left over, mark them. */
+	if (trailer_tvb && tree) {
+		guint trailer_length;
+
+		trailer_length = tvb_length(trailer_tvb);
+		if (trailer_length != 0) {
+			proto_tree_add_item(fh_tree, hf_sll_trailer,
+			    trailer_tvb, 0, trailer_length, FALSE);
+		}
+	}
+}
+
+void
+proto_register_sll(void)
+{
+	static hf_register_info hf[] = {
+		{ &hf_sll_pkttype,
+		{ "Packet type",	"sll.pkttype", FT_UINT16, BASE_DEC,
+		  VALS(packet_type_vals), 0x0, "Packet type" }},
+
+		/* ARP hardware type?  With Linux extensions? */
+		{ &hf_sll_hatype,
+		{ "Link-layer address type",	"sll.hatype", FT_UINT16, BASE_DEC,
+		  NULL, 0x0, "Link-layer address type" }},
+
+		{ &hf_sll_halen,
+		{ "Link-layer address length",	"sll.halen", FT_UINT16, BASE_DEC,
+		  NULL, 0x0, "Link-layer address length" }},
+
+		/* Source address if it's an Ethernet-type address */
+		{ &hf_sll_src_eth,
+		{ "Source",	"sll.src.eth", FT_ETHER, BASE_NONE, NULL, 0x0,
+			"Source link-layer address" }},
+
+		/* Source address if it's not an Ethernet-type address */
+		{ &hf_sll_src_other,
+		{ "Source",	"sll.src.other", FT_BYTES, BASE_HEX, NULL, 0x0,
+			"Source link-layer address" }},
+
+		/* if the protocol field is an internal Linux protocol type */
+		{ &hf_sll_ltype,
+		{ "Protocol",	"sll.ltype", FT_UINT16, BASE_HEX,
+		   VALS(ltype_vals), 0x0, "Linux protocol type" }},
+
+		/* registered here but handled in ethertype.c */
+		{ &hf_sll_etype,
+		{ "Protocol",	"sll.etype", FT_UINT16, BASE_HEX,
+		   VALS(etype_vals), 0x0, "Ethernet protocol type" }},
+
+                { &hf_sll_trailer,
+		{ "Trailer", "sll.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
+			"Trailer" }},
+	};
+	static gint *ett[] = {
+		&ett_sll,
+	};
+
+	proto_sll = proto_register_protocol("Linux cooked-mode capture", "sll" );
+	proto_register_field_array(proto_sll, hf, array_length(hf));
+	proto_register_subtree_array(ett, array_length(ett));
+}
+
+void
+proto_reg_handoff_sll(void)
+{
+	dissector_add("wtap_encap", WTAP_ENCAP_SLL, dissect_sll);
+}
diff --git a/wiretap/libpcap.c b/wiretap/libpcap.c
index 3eac15b74a..52b65bed73 100644
--- a/wiretap/libpcap.c
+++ b/wiretap/libpcap.c
@@ -1,6 +1,6 @@
 /* libpcap.c
  *
- * $Id: libpcap.c,v 1.44 2000/11/15 05:41:47 guy Exp $
+ * $Id: libpcap.c,v 1.45 2000/12/23 08:06:15 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -338,6 +338,12 @@ static const struct {
 	{ 111,		WTAP_ENCAP_HIPPI },	/* NetBSD HIPPI */
 	{ 112,		WTAP_ENCAP_HDLC },	/* NetBSD HDLC framing */
 #endif
+
+	/*
+	 * Linux "cooked mode" captures, used by the current CVS version
+	 * of libpcap.
+	 */
+	{ 113,		WTAP_ENCAP_SLL },	/* Linux cooked capture */
 };
 #define NUM_PCAP_ENCAPS (sizeof pcap_to_wtap_map / sizeof pcap_to_wtap_map[0])
 
diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index 5eb9381f3f..89ad680747 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -1,6 +1,6 @@
 /* wtap.c
  *
- * $Id: wtap.c,v 1.49 2000/11/15 05:41:48 guy Exp $
+ * $Id: wtap.c,v 1.50 2000/12/23 08:06:16 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -122,6 +122,8 @@ const static struct encap_type_info {
 	/* WTAP_ENCAP_IEEE_802_11 */
 	{ "IEEE 802.11 Wireless LAN", "ieee-802-11" },
 
+	/* WTAP_ENCAP_SLL */
+	{ "Linux cooked-mode capture", "linux-sll" },
 };
 
 /* Name that should be somewhat descriptive. */
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 0f138e98da..cb496342d6 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1,6 +1,6 @@
 /* wtap.h
  *
- * $Id: wtap.h,v 1.82 2000/11/15 05:41:48 guy Exp $
+ * $Id: wtap.h,v 1.83 2000/12/23 08:06:16 guy Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xiexie.org>
@@ -95,9 +95,10 @@
 #define WTAP_ENCAP_V120				16
 #define WTAP_ENCAP_PPP_WITH_PHDR		17
 #define WTAP_ENCAP_IEEE_802_11			18
+#define WTAP_ENCAP_SLL				19
 
 /* last WTAP_ENCAP_ value + 1 */
-#define WTAP_NUM_ENCAP_TYPES			19
+#define WTAP_NUM_ENCAP_TYPES			20
 
 /* File types that can be read by wiretap.
    We support writing some many of these file types, too, so we