On Jan 25, 2012, at 11:39 AM, wiresharkusers@xxxxxxxxxxxx wrote:
> Hi,
>
> I haven't looked at the source code, but I guess Wireshark reads the IP
> version information in the IP header (contained in the first byte of the IP header),
> which is 6 in packet #6, and that probably overrides the ethertype.
By looking at the code, you find in packet-ip.c, dissect_ip():
iph->ip_v_hl = tvb_get_guint8(tvb, offset);
if ( hi_nibble(iph->ip_v_hl) == 6) {
call_dissector(ipv6_handle, tvb, pinfo, parent_tree);
return;
}
This means if the IPv4 dissector gets called with an IPv6 packet, it is
just decoded as an IPv6 packet. I'm not sure why we do this. Does anyone do?
Best regards
Michael
>
> Regards,
> Jasper
>
>> Hello,
>
>> I have a faulty equipement sending IPv6 packets with ethertype 0x0800 (IPv4).
>> Nevertheless Wireshark decodes it as IPv6. (check packet #6 of the joined file).
>
>> It seems strange to me, I thought Wireshark uses ethertype for decoding, or
>> least selecting the disector, but it does not seems to be the case. And even
>> if Wireshark uses an other method I would have like it to warn me.
>
>> Could someone explain to me why this behaviour?
>
>> Regards.
>> Vincent
>
>> Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
>> Je crée ma boîte mail www.laposte.net
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
