Ethereal-users: Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)
On Thu, Oct 31, 2002 at 09:05:12PM -0800, Guy Harris wrote:
> If your POS is just running PPP over SONET, then a libpcap POS capture
> would have either DLT_PPP or perhaps DLT_PPP_BSDOS as the link-layer
> type;
...except on Windows, where it'd have DLT_EN10MB as the link-layer type,
as the way PPP works on Windows is that there's an intermediate driver
called NDISWAN that translates incoming PPP packets to fake Ethernet
packets before they're handed to the rest of the networking stack and
translates outgoing fake Ethernet packets to PPP packets before they're
handed to the low-level driver.
Therefore, PPP captures *on Windows* will look like Ethernet packets,
complete with fake source and destination addresses, so Ethereal will
dissect them as starting with MAC destination and source addresses
because they *do* start with fake MAC destination and source addresses.