Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-05-09 05:31:54 +0000

SYN-bit gravatar image

Hi Richard,

From epan/dissectors/packet-eth.c:

  /*
   * If the type/length field is <= the maximum 802.3 length,
   * and is not zero, this is an 802.3 frame, and it's a length
   * field; it might be an Novell "raw 802.3" frame, with no
   * 802.2 LLC header, or it might be a frame with an 802.2 LLC
   * header.
   *
   * If the type/length field is >= the minimum Ethernet II length,
   * this is an Ethernet II frame, and it's a type field.
   *
   * If the type/length field is > maximum 802.3 length and < minimum
   * Ethernet II length, then this is an invalid packet.
   *
   * If the type/length field is zero (ETHERTYPE_UNK), this is
   * a frame used internally by the Cisco MDS switch to contain
   * Fibre Channel ("Vegas").  We treat that as an Ethernet II
   * frame; the dissector for those frames registers itself with
   * an ethernet type of ETHERTYPE_UNK.
   */

Indeed your hex data is showing two extra bytes between the the eth src/dst and the IP header. It appears to be the length of the frame, but as it is 0x38 (56) it is smaller than the minimum length of a frame and therefor Wireshark will not decode it as "802.3 RAW". Maybe the frame was captured on a box before padding took place?

One way to decode this is to use editcap to change the Link-Layer type to user0:

editcap -T user0 in.pcap out.pcap

And then rightclick on "DLT" in Wireshark to set the protocol preferences. Add a new entry with:

DLT: User 0
Payload protocol: ip
Header size: 14

This will skip the first 14 bytes and decode the rest as (raw) IP.

Hi Richard,

From epan/dissectors/packet-eth.c:

  /*
   * If the type/length field is <= the maximum 802.3 length,
   * and is not zero, this is an 802.3 frame, and it's a length
   * field; it might be an Novell "raw 802.3" frame, with no
   * 802.2 LLC header, or it might be a frame with an 802.2 LLC
   * header.
   *
   * If the type/length field is >= the minimum Ethernet II length,
   * this is an Ethernet II frame, and it's a type field.
   *
   * If the type/length field is > maximum 802.3 length and < minimum
   * Ethernet II length, then this is an invalid packet.
   *
   * If the type/length field is zero (ETHERTYPE_UNK), this is
   * a frame used internally by the Cisco MDS switch to contain
   * Fibre Channel ("Vegas").  We treat that as an Ethernet II
   * frame; the dissector for those frames registers itself with
   * an ethernet type of ETHERTYPE_UNK.
   */

Indeed your hex data is showing two extra bytes between the the eth src/dst and the IP header. It appears to be the length of the frame, but as it is 0x38 0x0038 (56) it is smaller than the minimum length of a frame and therefor Wireshark will not decode it as "802.3 RAW". Maybe the frame was captured on a box before padding took place?

One way to decode this is to use editcap to change the Link-Layer type to user0:

editcap -T user0 in.pcap out.pcap

And then rightclick on "DLT" in Wireshark to set the protocol preferences. Add a new entry with:

DLT: User 0
Payload protocol: ip
Header size: 14

This will skip the first 14 bytes and decode the rest as (raw) IP.