Wireshark-dev: Re: [Wireshark-dev] Sometimes SLL/Linux cooked-mode capture is decoded and somet
Sorry, for the late reply/thanks Pascal.
My capture tool needed to look at the datalink type from
libpcap in order to encode the "fake" syslog correctly.
I wondered why when I first added this feature that it seemed
like sometimes it would work and sometimes it wouldn't.
As you would know it was because the datalink type was
changing depending on what interface I was capturing
and the encapsulation has to be
formatted differently.
I now have ethernet, Linux cooked capture, and NFLOG
working.
Thanks again!
BR,
Michael Lum
Hi Michael,
Hi,
I've attached two captures with a single packet in
each.
They are both supposed to be syslog events injected into the
capture with SLL (Linux cooked capture).
On one everthing is decoded as expected in the other with the same
first 16 octets it is detected as
Ethernet II only.
I cannot figure out why they are not both decoded as SLL/Linux
cooked-mode captures.
Any thoughts would be greatly appreciated.
I'm running on Windows 7 using Wireshark 2.6.1.
The capture was taken on a CentOs 7 box by a tool injecting the
"fake" syslog message.
This comes from the encapsulation type stored in the pcap file: one is
using 25 (Linux coooked capture) while the other one is using 1 (ethernet). So
something is wrong with the tool used to capture the second pcap.
You can fix the file with the following command: editcap -T linux-sll
sll-not_detected.pcap sll-not_detected_fixed.pcap
Best regards,
Pascal.
