Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 1 Mar 2008 11:36:18 +0100
On Fri, Feb 29, 2008 at 09:40:27PM -0700, Stephen Fisher wrote:
> On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:
> 
> > The packets are showing up in Wireshark my workstation, but the 
> > packets aren't decoding to show that they are a ping.  I see the 
> > payload of the ping in the data section, but it's like the "ip traffic 
> > export" feature added another header.  But the documentation says, 
> > "The unaltered IP packets are exported on a single LAN or VLAN 
> > interface, thereby, easing deployment of protocol analyzers and 
> > monitoring devices."
> 
> I haven't used that feature before, but if you would like to attach a 
> small capture file (2-3 packets) in a mail to the list, myself or 
> someone else could have a look at what the router may be adding.

I hadn't used this feature before either, but it certainly got me
interested so I configured a router to do "ip traffic export".
Unfortunately my test-setup was limited so I could not route
traffic *trough* the box. But I was able to see the incoming 
packets as they were forwarded to the wireshark-pc by the router.
No additional headers were present. So basically the L2 layer
was replaced by "<wireshark-pc-mac><cisco-router-mac>0800".

Could you indeed post a capture with a few frames that show the
extra header? 

Cheers,
    Sake