Wireshark-bugs: [Wireshark-bugs] [Bug 11282] Wireshark fails to decode PCAP tracefile containing
Date: Wed, 17 Jun 2015 18:12:01 +0000

Comment # 9 on bug 11282 from
(In reply to Pascal Quantin from comment #7)
> The registered encapsulation type for LAPB is 12, not 15. I suggest you to
> try the various options provided by this tool (if no documentation explains
> how they set the encapsulation type).

If by "registered encapsulation type" you mean LINKTYPE_/DLT_ value, no, it's
neither 12 nor 15 nor anything else.

You're probably looking at the WTAP_ENCAP_ values; WTAP_ENCAP_LAPB is 12. 
WTAP_ENCAP_ values do *NOT* correspond to LINKTYPE_/DLT_ values; they're
internal values within Wireshark, and should *NEVER* appear as link-layer
header types in files or network protocols. WTAP_ENCAP_NULL is 15.

The values that appear in pcap and pcap-ng files are LINKTYPE_/DLT_ values. 
The only *official* LINKTYPE_/DLT_ value for storing LAPB traffic in a pcap or
pcap-ng file is 207, in which the packet begins with a one-byte direction
value, which is zero if the packet was received by the host doing the capturing
and non-zero (any non-zero value) if the packet was sent by the host doing the
capturing, and the LAPB frame follows, beginning with the LAPB header.

So any hardware or software that writes out pcap or pcap-ng files with LAPB
data is broken unless it uses 207 as the link-layer header type value and
prepends the one-byte direction value.


You are receiving this mail because:
  • You are watching all bug changes.