Wireshark · Wireshark-users: Re: [Wireshark-users] LINKTYPE_ATM_RFC1483 (code 100)

Wireshark-users: Re: [Wireshark-users] LINKTYPE_ATM_RFC1483 (code 100) - is there a problem?

From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>

Date: Tue, 22 Apr 2008 11:41:21 +0200

Hi,

LINKTYPE_ATM_RFC1483 expects the LLC header right away, that's why it
doesn't work.

What's that 8 byte header? (Port,VP,VC?)


What you could do is to change the file to use one of the USER_DLTs
(147-162) and in the DLT_USER preferences assign llc to it and a
header size of 8.

\L





On Tue, Apr 22, 2008 at 7:33 AM, Nirupama Sankaranarayanan
<nirupama76@xxxxxxxxx> wrote:
> Hi,
>
>  I have some packets that are ATM LLC/SNAP
>  encapsulated. When I feed these into Wireshark with
>  the link type code 100, Wireshark does not decode the
>  entire packet correctly.
>
>  For e.g., the following OSPF packet -
>
>  0000   00 00 08 00 00 02 00 7f aa aa 03 00 00 00 08 00
>  0010   45 c0 00 40 aa d8 00 00 01 59 8b c7 c0 01 01 01
>  0020   c0 01 01 02 02 01 00 2c c0 01 01 01 00 00 00 00
>  0030   3b 9d 00 00 00 00 00 00 00 00 00 00 ff ff ff 00
>  0040   00 0a 02 00 00 00 00 28 00 00 00 00 00 00 00 00
>  0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0060   00 00 00 48 a5 c5 81 97
>
>  is decoded into -
>  Frame 1 (relevant info),
>  Logical-Link Control -> DSAP, IG Bit, SSAP, CR Bit,
>  Control field, and 100 bytes of data.
>
>  If the packet is edited to get rid of the first 8
>  octets (packet now starts at "aa aa") then it is
>  decoded correctly.
>
>  Questions -
>
>  1. Is this the expected behavior? Should we only
>  expect correct decodes if we start at the LLC part?
>
>  2. If this is the expected behavior, then is there any
>  other link type code that will get me proper decodes
>  for the above dump (without chopping off the ATM
>  header that is).
>
>  3. If answer to (2) is "no other link code", then is
>  it possible to introduce a new link type code to
>  decode the above correctly?
>
>  Thanks,
>  Niru
>
>
>
>       ____________________________________________________________________________________
>  Be a better friend, newshound, and
>  know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>  _______________________________________________
>  Wireshark-users mailing list
>  Wireshark-users@xxxxxxxxxxxxx
>  http://www.wireshark.org/mailman/listinfo/wireshark-users
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan

References:
- [Wireshark-users] LINKTYPE_ATM_RFC1483 (code 100) - is there a problem?
  - From: Nirupama Sankaranarayanan

Prev by Date: Re: [Wireshark-users] Can I measure network load with wireshark?
Next by Date: [Wireshark-users] Only Seeing part of SSL packets
Previous by thread: [Wireshark-users] LINKTYPE_ATM_RFC1483 (code 100) - is there a problem?
Next by thread: [Wireshark-users] Can I measure network load with wireshark?
Index(es):
- Date
- Thread