# Revision history [back]

Hi Richard,

From epan/dissectors/packet-eth.c:

  /*
* If the type/length field is <= the maximum 802.3 length,
* and is not zero, this is an 802.3 frame, and it's a length
* field; it might be an Novell "raw 802.3" frame, with no
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
*
* If the type/length field is >= the minimum Ethernet II length,
* this is an Ethernet II frame, and it's a type field.
*
* If the type/length field is > maximum 802.3 length and < minimum
* Ethernet II length, then this is an invalid packet.
*
* If the type/length field is zero (ETHERTYPE_UNK), this is
* a frame used internally by the Cisco MDS switch to contain
* Fibre Channel ("Vegas").  We treat that as an Ethernet II
* frame; the dissector for those frames registers itself with
* an ethernet type of ETHERTYPE_UNK.
*/


Indeed your hex data is showing two extra bytes between the the eth src/dst and the IP header. It appears to be the length of the frame, but as it is 0x38 (56) it is smaller than the minimum length of a frame and therefor Wireshark will not decode it as "802.3 RAW". Maybe the frame was captured on a box before padding took place?

One way to decode this is to use editcap to change the Link-Layer type to user0:

editcap -T user0 in.pcap out.pcap


And then rightclick on "DLT" in Wireshark to set the protocol preferences. Add a new entry with:

DLT: User 0


This will skip the first 14 bytes and decode the rest as (raw) IP.

Hi Richard,

From epan/dissectors/packet-eth.c:

  /*
* If the type/length field is <= the maximum 802.3 length,
* and is not zero, this is an 802.3 frame, and it's a length
* field; it might be an Novell "raw 802.3" frame, with no
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
*
* If the type/length field is >= the minimum Ethernet II length,
* this is an Ethernet II frame, and it's a type field.
*
* If the type/length field is > maximum 802.3 length and < minimum
* Ethernet II length, then this is an invalid packet.
*
* If the type/length field is zero (ETHERTYPE_UNK), this is
* a frame used internally by the Cisco MDS switch to contain
* Fibre Channel ("Vegas").  We treat that as an Ethernet II
* frame; the dissector for those frames registers itself with
* an ethernet type of ETHERTYPE_UNK.
*/


Indeed your hex data is showing two extra bytes between the the eth src/dst and the IP header. It appears to be the length of the frame, but as it is 0x38 0x0038 (56) it is smaller than the minimum length of a frame and therefor Wireshark will not decode it as "802.3 RAW". Maybe the frame was captured on a box before padding took place?

One way to decode this is to use editcap to change the Link-Layer type to user0:

editcap -T user0 in.pcap out.pcap


And then rightclick on "DLT" in Wireshark to set the protocol preferences. Add a new entry with:

DLT: User 0