On Fri, Apr 26, 2002 at 03:50:30PM -0400, Michael Cirulli wrote:
> Guy, Thanks for the feedback. TCPDUMP does show the same packet format.
By "tcpdump does show the same packet format" you mean "tcpdump has the
same problem that Ethereal does"?
If so, then it's probably a driver bug. What type of gigabit card is
it? (I'm assuming here that by "gigabit" you mean "gigabit Ethernet".)
> The only verification I have that it is an arp packet is from a
> sniffer attached to the network monitoring this interface. The sniffer is
> showing the ARP requests while the linux tools are showing the packet in
> the other format.
"The" packet?
A ping may involve more than one packet. It *might* involve an ARP
request, *if* the MAC address of the host that's the first (and perhaps
only) hop on the route to the ping destination isn't already in the
pinging host's ARP cache, but it won't *necessarily* involve an ARP
request. If the ARP succeeds, or if the MAC address is already in the
cache, the ping *will*, however, involve an ICMP ECHO packet, which is
an IP packet.
If a ping *does* involve one packet, it'd be an ICMP ECHO packet, not an
ARP packet, unless the ARP itself fails so that the ICMP ECHO can't even
be setn.
The Linux tools would presumably be showing the ICMP ECHO packets, *and*
the sniffer should show them as well, otherwise there's a problem
somewhere. Perhaps the packet you showed from the gigabit capture was
an ICMP ECHO packet, not an ARP packet.
