Wireshark-bugs: [Wireshark-bugs] [Bug 10556] Wireshark can't open netmon files from Microsoft Me
Date: Fri, 10 Oct 2014 11:09:19 +0000

Comment # 3 on bug 10556 from
(In reply to Guy Harris from comment #1)
> THe pcap/pcap-ng link-layer type 134 is reserved for Juniper, so,
> apparently, Microsoft is using it for some other purpose here.

The particularity of this dump is that it's taken using the "Network Tunnel
Traffic and Unencrypted IPSE" profile of Microsoft Message Analyzer. From my
understanding, it's a dumping scenario where the packets are the ones
circulating in tunneled networks like PPP and or VPN links and that are
effectively filtered by the firewall (inbound/outbound), so they are
unencrypted. I guess in the *.cap file all these IP packets are encapsulated in
"virtual" link-layer frames.

I'm not sure this information is sufficient. If you give me an hint I can try
to formulate a request to Microsoft Message Analyzer devs (which is new and
under heavy develompent).

> You'd have to convert it to pcap-ng format, *if* we can
> add support for those frame formats.

Ok, clear.


You are receiving this mail because:
  • You are watching all bug changes.