> I'm forwarding this to the list (with Ton's permission) since I'm not
> familiar the Sniffer file format.
>
> From looking at the data display, each packet in the capture appears to be
> a valid PPP/LCP frame.
Change 1.14 to "wiretap/ngsniffer.c" added a patch from Olivier Abad to
handle X.25; that patch treats Sniffer files with a network type of 7,
or "Internetwork analyzer", as LAPB.
I have the suspicion that "Internetwork analyzer" may be Snifferese for
"anything that does WAN analysis, except for ATM" - i.e., their X.25
analyzer may write out files with a network type of 7 and with LAPB
frames in them, the analyzer that Ton was using may write out files with
a network type of 7 and with PPP frames in them, etc., with, perhaps,
*NO* indication of which *particular* type of "Internetwork analyzer"
this is. (Olivier, do you have a Sniffer X.25 capture you can send us,
so we can see if it and the PPP capture differ in some way that might
mean there's a field that says what type of packets are in the capture?)
And I thought that particular irritation was limited to "libpcap"
format. Sigh.
LAPB headers start with 0x01 or 0x03, and PPP headers start with 0xFF,
so we could probably distinguish between those two flavors of
"Internetwork analyzer" by looking at the first byte of the first frame
- if it's 0xFF, assume it's PPP, otherwise assume it's LAPB (at least
until we find out that some *other* type of trace is written out as an
"Internetwork analyzer" trace).
I'll look at doing that.
> P.s. an additional feature could be to set a manual offset where Ethereal
> needs to start with decoding in a frame in order to skip some parts...
Ton, what's an example of the sort of situation where you'd want that?
