Wireshark-bugs: [Wireshark-bugs] [Bug 1702] PPPoE packets in Ethernet captures on Linux have bog
Date: Sun, 2 Sep 2007 22:59:18 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1702


guy@xxxxxxxxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|the HTTP HTTP payload is not|PPPoE packets in Ethernet
                   |decoded                     |captures on Linux have bogus
                   |                            |payload lengths




------- Comment #1 from guy@xxxxxxxxxxxx  2007-09-02 22:59 GMT -------
The problem is with the PPPoE header; it has nothing to do with HTTP.

Either the PPPoE header on the wire is bad, or the Linux networking stack is
somehow mangling it.  I would bet on the latter, as various bits of networking
code in Linux have been known to modify packet data in place without a
copy-on-write being done when there's a capture being done on the network
adapter, so a modified-in-place packet gets handed to libpcap and thus
tcpdump/Wireshark/etc..

We do check for putatively-wrong (or, at least, bogus, as in "there's no need
for padding here") PPPoE payload lengths; I've added code to add an "expert"
warning for those packets (and to fix the check).  Perhaps if we think it's
wrong we should just ignore it.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.