Wireshark-users: Re: [Wireshark-users] "strange" Fragmented ip packet
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 14 Apr 2008 12:48:36 -0700
Velissarios Lataris wrote:
Hi,So presumably that device looks like an Ethernet to the operating system.Wireshark sees the device's interface as a PPP/SLIP interface. The device is connected via usb2 to the system as a dial up modem. Dial up connections are established to a umts network.Are you capturing traffic to and from the machine on which you're running Wireshark? If so, what OS are you running on thatmachine?I'm capturing both, os is windows xp sp2. Hw is this connected to this issue?
Because it means that even PPP/SLIP interfaces will look like Ethernets to WinPcap and thus to Wireshark.
Yes, that could be the problem, although I'd *expect* that if the packet weren't received correctly some checksum/CRC at the GPRS, EDGE, or UMTS layer would catch that, and the E220 wouldn't have supplied the packet to the host in the first place.I take it wireshark in this case is capturing what the device is sending to the system,
Yes.
which could be different from what is actually coming through the air interface and received from the e220. So you are right to assume that this packet shouldn't be displayed (should have been rejected by the device) and thus this is an issue with the device.
True *if* the packet wasn't a valid packet; it might also have been a valid packet that wasn't an IP packet.
It might be that the adapter or the driver is constructing a fake Ethernet field, and is assuming that *all* traffic is IP traffic, which might explain why the Ethernet protocol type field is valid.I'm not exactly certain I understand what you mean here!
What I mean is that the adapter is, I think, receiving PPP packets over GPRS/EDGE/whatever UMTS calls its packet-switched service, and either supplying PPP packets to the host, which the driver (or Microsoft's NDISWAN code) is converting to Ethernet packets, or supplying Ethernet packets to the host.
If the code (on the adapter, in the driver, or in NDISWAN) is assuming that *all* packets it's supplied are IP packets, rather than looking at the PPP header to see what type of packet it's been handed, it would put hex 0800 in the type field of the fake Ethernet header it constructs, even if the packet is *not* an Ethernet packet; Wireshark will then attempt to dissect the packet as an IP packet, and find that it looks wrong.
From what I've read from looking for
huawei e220 linux
with Google, the E220 looks like a USB serial device, so it *probably*
supplies PPP packets, not Ethernet packets, to the host. I would be
surprised in NDISWAN naively converted incoming PPP packets to
IP-over-Ethernet packets, so I suspect that either
1) this is a bad packet that the adapter shouldn't have supplied to the host
or2) Huawei didn't know about NDISWAN and wrote their own code to convert PPP packets to Ethernet packets, and it assumes all PPP packets are IP packets. Whether the packets in question are packets that are not received correctly, or are packets that *were* received correctly but just aren't IP packets, is another question; I don't know which is the case.
- References:
- Re: [Wireshark-users] "strange" Fragmented ip packet
- From: Velissarios Lataris
- Re: [Wireshark-users] "strange" Fragmented ip packet
- Prev by Date: Re: [Wireshark-users] Is it a bug with Wireshark?
- Next by Date: Re: [Wireshark-users] Is it a bug with Wireshark?
- Previous by thread: Re: [Wireshark-users] "strange" Fragmented ip packet
- Next by thread: [Wireshark-users] IO and data exporting
- Index(es):