Ethereal-dev: Re: [ethereal-dev] Null capture type ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Sun, 5 Dec 1999 23:17:07 -0800
> Hmmm, a little experimentation, producing a Null capture with my little
> program shows me that Ethereal already understands a capture file that
> starts with
> 
>    0xFF000800 
> 
> as long as it is set as a NULL ENCAP type in the Wiretap file ...

"dissect_null()" would:

	not see 0xFF followed by 0x03, and not think of it as PPP;

	extract the first four octets as a 32-bit integer, giving:

		on a big-endian machine, 0xFF000800;

		on a little-endian machine, 0x000800FF;

	check whether the upper 16 bits are zero and, if not, byte swap
	it, giving:

		on a big-endian machine, 0x000800FF;

		on a little-endian machine, 0xFF000800;

	see that it's bigger than an IEEE_802_3_MAX_LEN, infer that it
	must have been a Linux loopback packet as munged by "libpcap",
	with 0x0000 followed by an ethertype, and hand it to
	"ethertype()" with an offset of 4 - "ethertype()" would grab the
	2 bytes before that offset and treat it as an Ethernet type, so,
	on a little-endian machine, it'd happen to do the right thing.

However, that's by accident rather than by design (and, I think, would
work only on a little-endian machine).

Any idea how the file in question was captured before being turned into
a "tcpdump" file?