Wireshark · Ethereal-dev: RE: [ethereal-dev] Re: Summary page for ethereal

Ethereal-dev: RE: [ethereal-dev] Re: Summary page for ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Farley, Tim (ISSAtlanta)" <TFarley@xxxxxxx>

Date: Wed, 16 Jun 1999 13:27:32 -0400

>NetMon has a weird tendency to put out, as the last packet in 
>a capture, a packet with a start-of-capture-relative time stamp of 0, and a
>link-layer packet type of some oddball SNAP type.  It doesn't do so all
>the time, but I've seen a number of captures of that sort.

Actually it's quite simple.

It's a frame that contains "statistics" on the capture so far.  For whatever
reason, they encode it "as if" it were an ETHERNET frame with an Ethertype
of 0x1984, and both the TO and FROM MAC addresses are all zeroes (illegal).
Then they put the statistics gunk in the payload of that frame.  NetMon
ALWAYS adds this at the end of a capture.

The contents decode like this in NETMON:

STATS: Number of Frames Captured = 90
    STATS: Bytes Left = 80 (0x50)
    STATS: Version = 0 (0x0)
    STATS: Elapsed Time = 42 Seconds  64 Milliseconds
    STATS: Total Frames Captured = 90 (0x5A)
    STATS: Total Bytes Captured = 136980 (0x21714)
    STATS: Total Frames Filtered While Capturing = 90 (0x5A)
    STATS: Total Bytes Filtered While Capturing = 136260 (0x21444)
    STATS: Total Frames Seen During Capture = 1422 (0x58E)
    STATS: Total Bytes Seen During Capture = 360956 (0x581FC)
    STATS: Total MultiCasts Received = 21 (0x15)
    STATS: Total BroadCasts Received = 16 (0x10)
    STATS: Total Frames Dropped From Capture = 0 (0x0)
    STATS: Total Frames Dropped From Buffer = 0 (0x0)
    STATS: MAC Frames Received = 1317
    STATS: MAC CRC Errors = 0
    STATS: MAC Bytes Received = Unsupported Feature
    STATS: MAC Frames Dropped due to No Buffers = 0
    STATS: MAC Frames Dropped due to HardWare Errors = 0
    STATS: MAC MultiCasts Received = Unsupported Feature
    STATS: MAC BroadCasts Received = Unsupported Feature
    STATS: Padding Bytes

The base protocol (ethertype 1984) is called TRAIL, then there are several
things that layer on that, STATS being just one of them.  There are also
menu items that let you insert "comments" into a capture, and other less
explainable things.

The reason you don't always see it in a .CAP file is people often apply a
filter and then do a Save As, which excludes the statistics frame.

=====================================
Tim Farley
Software Engineer
tfarley@xxxxxxx

Internet Security Systems, Inc.
(678) 443-6000 / Direct Dial (678) 443-6189 / fax (678) 443-6479
http://www.iss.net

Adaptive Network Security for the Enterprise
=====================================

Follow-Ups:
- Re: [ethereal-dev] Re: Summary page for ethereal
  - From: Guy Harris

Prev by Date: RE: UI guidelines (was Re: [ethereal-dev] "Save" vs. "Save As")
Next by Date: Re: UI guidelines (was Re: [ethereal-dev] "Save" vs. "Save As")
Previous by thread: Re: [ethereal-dev] Re: Summary page for ethereal
Next by thread: Re: [ethereal-dev] Re: Summary page for ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$