Wireshark · Ethereal-dev: Re: [ethereal-dev] Re: NetXray v 3.03 capture file format

Ethereal-dev: Re: [ethereal-dev] Re: NetXray v 3.03 capture file format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gilbert Ramirez <gram@xxxxxxxxxx>

Date: Fri, 28 Jan 2000 23:16:34 -0600

On Thu, Jan 27, 2000 at 08:50:01PM -0500, Tom Poe wrote:
> I'm bring this discussion over from where I started it in ethereal-users...
> 
> I talked to my support person who's working with the guy who took the trace.  
> He reports that the trace was taken on a ppp dial-up connection.
> My guy is going to ask for a detailed packet print-out for the first several
> packets.
> We also talked about letting other people look at the trace and we don't think
> it's a problem since the trace is mostly tcp http stuff.  So I'll send the
> trace to someone who can derive something from it.
> I did change the 4th entry in the table to WTAP_ENCAP_PPP, and that allowed
> Ethereal to open the file, but the decode fails.  (Only showing PPP unknown)

(Tom sent me the trace file)

It turns out that NetXray records the trace as containing WAN info, but
converts the frame to an Ethernet frame. It fills in the Ethernet source
and destination hardware addresses with the bytes representing
"SRC" and "DEST", and uses the ethernet type field to indicate which
protocol its carrying. That caught my eye because the PPP ID for IP is 0x21,
and the ethernet type for IP is 0x800, and when I saw the ethernet
type for IP inside your trace file, I realized the trick they were pulling.

Attached is the one line patch to enable wiretap and Ethereal to
read NetXray WAN trace files.

--gilbert

Index: netxray.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/wiretap/netxray.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- netxray.c	2000/01/22 06:22:41	1.22
+++ netxray.c	2000/01/29 05:10:06	1.23
@@ -1,6 +1,6 @@
 /* netxray.c
  *
- * $Id: netxray.c,v 1.22 2000/01/22 06:22:41 guy Exp $
+ * $Id: netxray.c,v 1.23 2000/01/29 05:10:06 gram Exp $
  *
  * Wiretap Library
  * Copyright (c) 1998 by Gilbert Ramirez <gram@xxxxxxxxxx>
@@ -108,7 +108,7 @@
 		WTAP_ENCAP_ETHERNET,
 		WTAP_ENCAP_TR,
 		WTAP_ENCAP_FDDI_BITSWAPPED,
-		WTAP_ENCAP_UNKNOWN,	/* WAN */
+		WTAP_ENCAP_ETHERNET,	/* WAN(PPP), but shaped like ethernet */
 		WTAP_ENCAP_UNKNOWN,	/* LocalTalk */
 		WTAP_ENCAP_UNKNOWN,	/* "DIX" - should not occur */
 		WTAP_ENCAP_UNKNOWN,	/* ARCNET raw */

References:
- [ethereal-dev] Re: NetXray v 3.03 capture file format
  - From: Tom Poe

Prev by Date: Re: [ethereal-dev] Want to add stuff to frame_data
Next by Date: Re: [ethereal-dev] Want to add stuff to frame_data
Previous by thread: Re: [ethereal-dev] Re: NetXray v 3.03 capture file format
Next by thread: Re: [ethereal-dev] Re: NetXray v 3.03 capture file format
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$