Wireshark-bugs: [Wireshark-bugs] [Bug 10556] Wireshark can't open cap file from Microsoft Messag
Guy Harris
changed
bug 10556
| What |
Removed |
Added |
| Status |
UNCONFIRMED
|
INCOMPLETE
|
| Ever confirmed |
|
1
|
Comment # 1
on bug 10556
from Guy Harris
The Network Monitor 3.4 documentation says of the "Media Type" field for
packets:
The following table shows the currently defined media types.
Type Values
Ethernet 1
Tokenring 2
FDDI 3
ATM 4
1394 5
WiFi 6
Tunneling interfaces 7
Wireless WAN 8
Raw IP Frames 9
Reserved for PCap Link Layer types 0xE000—0xEFFF
Unsupported PCAP Link Layer type 0xE000
Linux Cooked Mode 0xE071
NetEvent 0xFFE0
Netmon Network Info Ex 0xFFFB
Netmon PayloadHeader 0xFFFC
Netmon Network Info 0xFFFD
Netmon DNS Cache 0xFFFE
Netmon Filter 0xFFFF
The media types for which Wireshark would report "netmon: converted pcap
network type XXX unknown or unsupported" are the ones in the "Reserved for PCap
Link Layer types" range; the manual does not explicitly say so, but values in
that range are to be interpreted as if you subtracted 0xE000 from them and then
interpreted the result as a pcap/pcap-ng file link-layer type.
THe pcap/pcap-ng link-layer type 134 is reserved for Juniper, so, apparently,
Microsoft is using it for some other purpose here. A quick hack to look at the
raw packet data doesn't show any obvious frame type, so you'd probably have to
ask Microsoft how that file should be interpreted by a program reading it and
provide that information to us if you want to be able to read those files in
Wireshark.
You are receiving this mail because:
- You are watching all bug changes.
