Ethereal-dev: [ethereal-dev] sniffer is screwy - it messes with the content of packets as it d

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Neulinger, Nathan R." <nneul@xxxxxxx>
Date: Wed, 8 Dec 1999 16:33:33 -0600 
I have two traces - one on ethereal, one on the sniffer, of the same data.
All of the opcodes (2 bytes) for the AARP requests on the sniffer are
byte-swapped in the byte view itself.

i.e. Ethereal has 01 00, which doesn't match up to anything in the opcode
table for aarp disection
     Sniffer has 00 01, which is a lookup request

Either the sniffer is editing the packet data inline, or it's another one of
those 'editing the packet in place' things like the NFS packet stuff w/ the
linux kernel. 

I'm a little hesitant to change the ethereal code to use pletohs() on the
number, just in case this aarp code actually worked somewhere else -
although it does appear to be incorrectly directly accessing the packet data
as shorts (possibly will cause alignment issues, as has been discussed
before.)

Any thoughts?

I can send a sample trace if you'd like. 

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@xxxxxxx
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216