 | 1 | initial version |
Hi Richard,
From epan/dissectors/packet-eth.c:
/*
* If the type/length field is <= the maximum 802.3 length,
* and is not zero, this is an 802.3 frame, and it's a length
* field; it might be an Novell "raw 802.3" frame, with no
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
* header.
*
* If the type/length field is >= the minimum Ethernet II length,
* this is an Ethernet II frame, and it's a type field.
*
* If the type/length field is > maximum 802.3 length and < minimum
* Ethernet II length, then this is an invalid packet.
*
* If the type/length field is zero (ETHERTYPE_UNK), this is
* a frame used internally by the Cisco MDS switch to contain
* Fibre Channel ("Vegas"). We treat that as an Ethernet II
* frame; the dissector for those frames registers itself with
* an ethernet type of ETHERTYPE_UNK.
*/
Indeed your hex data is showing two extra bytes between the the eth src/dst and the IP header. It appears to be the length of the frame, but as it is 0x38 (56) it is smaller than the minimum length of a frame and therefor Wireshark will not decode it as "802.3 RAW". Maybe the frame was captured on a box before padding took place?
One way to decode this is to use editcap to change the Link-Layer type to user0:
editcap -T user0 in.pcap out.pcap
And then rightclick on "DLT" in Wireshark to set the protocol preferences. Add a new entry with:
DLT: User 0
Payload protocol: ip
Header size: 14
This will skip the first 14 bytes and decode the rest as (raw) IP.
| | 2 | No.2 Revision |
Hi Richard,
From epan/dissectors/packet-eth.c:
/*
* If the type/length field is <= the maximum 802.3 length,
* and is not zero, this is an 802.3 frame, and it's a length
* field; it might be an Novell "raw 802.3" frame, with no
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
* header.
*
* If the type/length field is >= the minimum Ethernet II length,
* this is an Ethernet II frame, and it's a type field.
*
* If the type/length field is > maximum 802.3 length and < minimum
* Ethernet II length, then this is an invalid packet.
*
* If the type/length field is zero (ETHERTYPE_UNK), this is
* a frame used internally by the Cisco MDS switch to contain
* Fibre Channel ("Vegas"). We treat that as an Ethernet II
* frame; the dissector for those frames registers itself with
* an ethernet type of ETHERTYPE_UNK.
*/
Indeed your hex data is showing two extra bytes between the the eth src/dst and the IP header. It appears to be the length of the frame, but as it is 0x38 0x0038 (56) it is smaller than the minimum length of a frame and therefor Wireshark will not decode it as "802.3 RAW". Maybe the frame was captured on a box before padding took place?
One way to decode this is to use editcap to change the Link-Layer type to user0:
editcap -T user0 in.pcap out.pcap
And then rightclick on "DLT" in Wireshark to set the protocol preferences. Add a new entry with:
DLT: User 0
Payload protocol: ip
Header size: 14
This will skip the first 14 bytes and decode the rest as (raw) IP.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.