Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow
From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Sat, 1 Mar 2008 12:55:04 -0600
Thanks!  Did you use bittwiste with the '-D' option to remove the first 24
bytes?

The "from" in your modified capture is properly decoded as the Sony laptop
I'm using (00:01:4a:9e:0e:06), but the destination (08:00:b6:53:00:08) seems
to be some kind of variation off of the MAC address of the 7200VXR's
FastEthernet interface (0030.b653.0008) that Sony laptop is connected to.
Perhaps it's the MAC address of loopback interface I have defined for the
Virtual-Template?

In any case, is there an option in Wireshark to ignore the first 'x' bytes,
or, is it possible for someone to write a dissector that handles the IP
Traffic Export format, perhaps making it optional in the "Frame" section in
the same way that "Treat all frames as DOCSIS frames"?

If someone has a Cisco 1841, Cisco 2800 series, or Cisco 3800 series
integrated services router that they can also test ip traffic-export in with
12.2(31)SB11, I would be interested in learning if this prepending is unique
just to the 7200.  Sake posted that "the L2 layer was replaced by
"<wireshark-pc-mac><cisco-router-mac>0800", but that wasn't the case for me.

Frank

-----Original Message-----
From: Bill Meier [mailto:wmeier@xxxxxxxxxxx] 
Sent: Saturday, March 01, 2008 12:13 PM
To: frnkblk@xxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

Frank Bulk wrote:
>
> Ethernet hdr specifying type  0x0800 [IP]
> 0000  00 12 79 63 1a 8c 00 30  b6 53 00 06 08 00
>
> 20 unknown (to me) bytes
> 0000                                             b6 53
> 0010  00 08 00 01 4a 9e 0e 06  88 64 11 00 00 06 00 3e
> 0020  00 21
>
> looks like a good ip hdr & icmp payload
> 0020        45 00 ....................................
> 0030  ................................................
> 0040  ................................................
> 0050  ............................................
>
>

OK: (Learning as I go)

It turns out that it appears that what's really going on is that there's
an extra 12 bytes of ethernet destination/source at the beginning of the
packet.

If I strip those, I get what appears to be the original frame (see
attached).

So: I it seems that the ethernet src/dest at the beginning is (as you
said) the MAC of the switch tap src and (presumably) the dest is the MAC
of your wireshark PC.

Interesting....