Wireshark-users: [Wireshark-users] Layer 2 identification...
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: barcaroller <barcaroller@xxxxxxxxx>
Date: Thu, 11 May 2017 16:29:05 -0400
I'm hoping someone can point me in the right direction.  I have a PCAP file where the packets do not have an Ethernet header; instead they have a PPP (Point-to-Point Protocol) header. 

I have a few questions.

1. The PPP header I'm seeing in wireshark has the following structure:

    Address     0xFF (1 byte)
    Control     0x03 (1 byte)
    Protocol  0x0021 (2 bytes)
    <...followed by IPv4...>
What happened to the 1-byte Flag field (usually set at 0x7E) which indicates the beginning of the PPP frame?
2. Given that the flag field is missing, how was wireshark still able to guess the proper format of the packet?  The packet format is: 

    PPP
      IPv4
         UDP/Teredo
           IPv6
             ICMPv6
3. Even if the flag field were present, how does wireshark usually identify the type of Layer 2 header?  Does it guess?