Wireshark · Ethereal-users: Re: [Ethereal-users] Ethereal for Windows: Why do I see two interfaces?

Ethereal-users: Re: [Ethereal-users] Ethereal for Windows: Why do I see two interfaces?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Tue, 01 Nov 2005 10:53:04 -0800

Adnan Ali wrote:

However, of late things have got pretty confusing for
me, because when I sniff on the first interface, I am
seeing some packets with Ethernet address
encapsulation.

Internally to the Windows networking stack, PPP packets received ondial-up lines (and other PPP packets) are translated to Ethernetpackets, and Ethernet packets are translated to PPP packets before beingsent on dial-up lines, by a module called "NDISWAN".

Code that plugs into the Windows networking driver interface ("NDIS")from above, such as the WinPcap driver, will see packets received on aPPP interface as if it were an Ethernet packet.

2- What types of packets are these on this other
interface? May be I need to study some more about
IEEE 802.3 with LLC.

0000 52 54 53 53 03 00 00 00 00 00 a8 00 01 00 00 00RTSS............0010 25 e0 00 00 42 4c 55 45 00 00 00 00 00 00 00 00%...BLUE........0020 00 00 00 00 41 64 6d 69 6e 69 73 74 72 61 74 6f....Administrato0030 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00r...............0040 00 00 00 00 00 00 00 00 34 b9 20 52 41 53 34 b9........4. RAS4.0050 20 52 41 53 42 00 4c 00 55 00 45 00 00 00 00 00RASB.L.U.E.....0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................0070 00 00 00 00 41 00 64 00 6d 00 69 00 6e 00 69 00....A.d.m.i.n.i.0080 73 00 74 00 72 00 61 00 74 00 6f 00 72 00 00 00s.t.r.a.t.o.r...0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................00b0 00.

"RTSS"? That's the magic number for Microsoft Network Monitor 1.xfiles; with WinPcap 3.1, the driver that Network Monitor uses is the onethat WinPcap uses (the NDIS code apparently treats that driverspecially, so it can get at dial-up line packets more safely andreliably than other drivers).

In addition, there's an account name in there ("Administrator"), and"RAS" ("Remote Access Service", the Windows code for dial-up access).

Those packets sound as if they're something inserted by the NetworkMonitor driver. You might want to try capturing with WinDump (to removeEthereal from the issue) and report that to the WinPcap developers:


	http://www.winpcap.org/contact.htm

References:
- [Ethereal-users] Ethereal for Windows: Why do I see two interfaces?
  - From: Adnan Ali

Prev by Date: Re: [Ethereal-users] raw IEEE 802.11 headers
Next by Date: Re: [Ethereal-users] Re: raw IEEE 802.11 headers
Previous by thread: Re: [Ethereal-users] Ethereal for Windows: Why do I see two interfaces?
Next by thread: [Ethereal-users] Using the asn1 plugin to decode an arbitrary protocol
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$