Wireshark-bugs: [Wireshark-bugs] [Bug 1702] PPPoE packets in Ethernet captures on Linux have bog
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1702
guy@xxxxxxxxxxxx changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|the HTTP HTTP payload is not|PPPoE packets in Ethernet
|decoded |captures on Linux have bogus
| |payload lengths
------- Comment #1 from guy@xxxxxxxxxxxx 2007-09-02 22:59 GMT -------
The problem is with the PPPoE header; it has nothing to do with HTTP.
Either the PPPoE header on the wire is bad, or the Linux networking stack is
somehow mangling it. I would bet on the latter, as various bits of networking
code in Linux have been known to modify packet data in place without a
copy-on-write being done when there's a capture being done on the network
adapter, so a modified-in-place packet gets handed to libpcap and thus
tcpdump/Wireshark/etc..
We do check for putatively-wrong (or, at least, bogus, as in "there's no need
for padding here") PPPoE payload lengths; I've added code to add an "expert"
warning for those packets (and to fix the check). Perhaps if we think it's
wrong we should just ignore it.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.