Wireshark · Ethereal-dev: Re: [Ethereal-dev] netxray.c

Ethereal-dev: Re: [Ethereal-dev] netxray.c - patches

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Bill Meier" <wmeier@xxxxxxxxxxx>

Date: Mon, 29 Nov 2004 23:42:31 -0500

Bill Meier wrote:

    For the third case (for "PPP Captured with Pod" and fhdr.timeunit = 2) I've changed the code to use the timeunit, 
etc which results in the correct time display for the captures that I have. 


...

        else if ((network_type == 1) && (hdr.xxb[20] == CAPTYPE_PPP)) { 


Guy Harris wrote:

A network type of 1 is Ethernet, not PPP - are there PPP captures that have a network type of 1 rather than 4? I think 
the NDIS PPP captures have a network type of 4 ("WAN(PPP), but shaped like Ethernet"), and have fake Ethernet headers 
(as that's what NDISWAN puts on packets before handing them to regular NDIS protocol drivers), and at least some PPP 
captures done with a pod (CAPTYPE_PPP) also have a network type of 4.

Also, please submit the patches as "diff -c" or "diff -u" output - "diff" output of the sort you sent won't work if the 
file has been modified in SVN since you made the patch (fortunately, I don't think it has, but there's no version 12341 
in the main branch, so I can't check that - perhaps that's the version number assigned by SVN when the 0.10.7 branch 
was made).


Bill Meier writes:

1. The captures are Ethernet and not PPP (altho I'll have to determine exactly how the captures were made).

What I have is a number of ethernet captures from different sniffers with 
fhdr.network = 0 [that is: network type 1] and fhdr.xxb[20] = 3.
(fhdr.timeunit byte  = 0 or 2 depending upon whether the capture was of 10mbps or 100 mbps ethernet).

I've no idea what's different about some of the sniffers so that the ethernet captures have a 3 in xxb[20].
Maybe fhdr.xxb[20] = 3 for fhdr.network = 0 indicates some other kind of pod or something.

I'll take a little time later this week to see if I can determine if a different pod or model or whatever.


2. Yes, the version 12341 was from the 0.10.7 branch. Before submitting the diff I did verify that the main branch 
[trunk] version had been unchanged since 0.10.7.  Now that I understand the correct procedure I'll \
certainly do "diff -c" against the main branch version when submitting patches.


Bottom line: 

I do think the code is correct, but for fhdr.network = 0 identifying captype '3' as PPP would appear to be misleading.

So: I'll do a little more research and then resubmit the patch adding a comment or whatever.


Bill Meier

Follow-Ups:
- Re: [Ethereal-dev] netxray.c - patches
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] show hostname in window title - feature/patch submission
Next by Date: [Ethereal-dev] RE: Profibus protocol
Previous by thread: Re: [Ethereal-dev] netxray.c - patches
Next by thread: Re: [Ethereal-dev] netxray.c - patches
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$