Ethereal-users: Re: [Ethereal-users] wierd packets in ippp capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sat, 18 Nov 2000 14:12:53 -0800
On Sat, Nov 18, 2000 at 06:22:58PM +0100, Jon Forsberg wrote:
> Sorry, here's a new one. This time it starts at 7.970739.

...in the grand Linux tradition of completely random link-layer headers.
*Most* of the packets in that capture are "raw IP", with the IP header
being the first byte of the packet; however, a few packets have various
bits of extra random crap at the beginning (frame 19 - that's the frame
at 7.970739, but frame numbers are a bit easier to find than time stamps
- has 0x98 0x21; frame 20 has what appears to be 0x80 0x04 0x00 0x00
0x08 and 5 octets of 0x00, where the 0x08 *might* be part of 0x0800,
i.e. the Ethernet type for IP; frame 21, however, is "raw IP", but frame
23 reintroduces the 0x98 0x21).

Take a look at "dissect_raw()" in "packet-raw.c" to see some of the
hoops Linux's PPP, etc. makes us jump through.

Hopefully, Torsten Landschoff will finish up the stuff he's doing to
allow some link-layer types to get a "cooked" header put onto them in
libpcap (so that, instead of "raw IP", we can get something with a
standardized link-layer header, complete with network-layer packet type,
and, hopefully, *no* randomized link-layer header), at which point we
can make libpcap use that for ISDN and PPP on Linux.

Until then, this seems to indicate that yet another bit of bletcherosity
needs to be stuck into "packet-raw.c"; I may get around to that at some
point, but I don't know when that'll happen.