Wireshark · Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] capture HDLC packets with a NIC?

Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] capture HDLC packets with a NIC?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Thu, 8 Feb 2001 13:24:17 -0800 (PST)

> It's a Ethernet card plugging into an Ethernet network.
> I guess you did say that HDLC packets could not be captured thru an Ethernet
> device.
> 
> Can Ethereal capture IP data

Ethereal captures link-layer data, which means that, when capturing on
an Ethernet, it'll capture Ethernet data, meaning that the data it
captures includes more than just the IP data - it includes the Ethernet
header on each packet.

> and write to a file in HDLC format instead of libpcap/tcpdump format?

There is no such thing as "HDLC format" as a format in which to write a
capture file.  What do you *really* mean when you say "HDLC format"?

HDLC is a protocol, just as there is an Ethernet protocol (with a
14-byte header) and an FDDI protocol (with a 13-byte header) and so on.

Ethereal and tcpdump and snoop and Sniffers and Network Monitor and so
on don't save files in "Ethernet format" or "FDDI format" or "HDLC
format", they save in tcpdump/libpcap format or snoop format or Sniffer
format or Network Monitor format.

Those formats include, in the per-file header, a specification of what
particular link-layer protocol is being used, but it's almost always the
case that if you were to write out a capture with a link-layer protocol
type other than the one that's being captured, the capture file, when
read, would make no sense whatsoever.

If, for example, you wrote out an Ethernet capture with a link-layer
protocol type of FDDI, Ethereal or tcpdump or snoop or the Sniffer or
Network Monitor or...  would try to interpret, say, the first 13 bytes
of the 14-byte Ethernet header as an FDDI header, which would mean it
would completely misinterpret the contents of the packet.

(For example, the editcap program that comes with Ethereal can be told
to write out a capture with a different link-layer header type - there
was some case where the link-layer header type didn't accurately reflect the

> Is there a utility to convert the libpcap/tcpdump data file to HDLC format
> data file?

As per the above, there is no such thing as an "HDLC format data file". 
There may be data files captured on network interface on which the
link-layer protocol *is* HDLC, which would have, in the file header, an
indication that the traffic is HDLC, but it would make no sense
whatsoever to write out an Ethernet capture with a link-layer type of
HDLC, as the program you use to read the file would then assume that
there's an HDLC header on the packets, and interpret the first few bytes
of the packet as an HDLC header - which wouldn't work correctly, given
that the first few bytes of the packet are an Ethernet header, not an
HDLC header.

Prev by Date: Re: [Ethereal-dev] Am I insane?
Next by Date: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Previous by thread: Re: [Ethereal-dev] Am I insane?
Next by thread: [Ethereal-dev] compiling on windows NT
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$