Wireshark · Ethereal-dev: Re: [ethereal-dev] Antwort: Re: [ethereal-users] Reading AIX-iptrace on at0

[Gilbert Ramirez <gram@xxxxxxxxxx>]

On Tue, Nov 16, 1999 at 11:45:25PM -0800, Guy Harris wrote:
> 
> 	bytes 0 and 1 always appear to be 0;
> 
> 	bytes 2 and 3 contain the frame size + 32 (or perhaps that's in
> 	bytes 0-3, as a 32-bit quantity);

My guess is that it's a 32-bit quantity, but 4-gigabyte packets
scare me.

> 	bytes 4-11 contain, at least in frames 1, 2, 3, and 9:
> 
> 		0x38
> 		0x2c
> 		0xa2
> 		0xab in frames 1 and 2, 0xad in frame 3, 0xaf in frame 9;

This is a copy of the tv_sec0. I have no idea why. Here's my updated
iptrace_pkt_hdr struct. junk1 and junk2 appear to always be 0.

typedef struct {
/* 0-3 */       guint32         pkt_length;     /* packet length + 32 */
/* 4-7 */       guint32         tv_sec0;	/* copy of tv_sec */
/* 8-11 */      guint32         junk1;          /* ?? */
/* 12-15 */     char            if_name[4];     /* null-terminated */
/* 16-27 */     char            if_desc[12];    /* interface description. */
/* 28 */        guint8          if_type;        /* BSD net/if_types.h */
/* 29 */        guint8          tx_flag;	/* 0=receive, 1=transmit */
/* 30-31 */     guint16         junk2;
/* 32-35 */     guint32         tv_sec;
/* 36-39 */     guint32         tv_usec;
} iptrace_phdr;

> That then raises the question of what the rest of the bytes are.  In the
> multi-homed trace, it's 0x01 in frame 1 and 0x00 in frame 2 - I didn't
> look at the other frames.  The next two bytes are 0 in those frames I
> looked at.
> 
> So byte 28 won't tell you what ATM encapsulation it has, and bytes 27
> and 28 seem to be 0x6c 0x42 in all the frames I looked at.

I just realized that byte 0x29 appears to be a receive/transmit flag.
Another field spelunked!

--gilbert