On Wed, Oct 30, 2002 at 04:29:33AM -0500, mrmartin1903@xxxxxxxxxxxx wrote:
> using Ethereal to load libcap captures I did not find a way to tell my
> Ethereal Installation on W2k to properly show POS or ATM capture files,
> since Ethereal always starts with MAC source/destination address.
What do you mean "Ethereal always starts with MAC source/destination
address"?
Ethereal does *not* assume that packets always start with MAC source and
destination addresses - it doesn't even assume that on LANs, given that
on FDDI, Token Ring, and 802.11, there's some frame control stuff in the
packet before the destination and source addresses.
If your POS is just running PPP over SONET, then a libpcap POS capture
would have either DLT_PPP or perhaps DLT_PPP_BSDOS as the link-layer
type; Ethereal does *not* assume that PPP packets being with a MAC
source or destination address.
There are a variety of *different* libpcap ATM capture file formats,
which Ethereal can read and can capture. WinPcap can, in theory,
capture ATM packets, and currently uses the DLT_ATM_RFC1483 format (in
which the packet starts with an 802.2 LLC header) for them. However,
ATM captures have never been tested with WinPcap - the WinPcap FAQ at
http://winpcap.polito.it/misc/faq.htm
says:
Q-17: Which network adapters are supported?
A: The NPF device driver was developed to work primarily with
Ethernet adapters. Support for other MACs was added during the
development, but Ethernet remains the preferred one. The main
reason is that all our development stations have Ethernet
adapters so all our tests were made on this type of network.
However, the current situation is:
o Windows 95/98/ME: the packet driver works correctly on
Ethernet networks. It works also on PPP WAN links, but
with some limitations (for example it is not able to
capture the LCP and NCP packets). FDDI, ARCNET, ATM and
Token Ring should be supported, however we did not test
them because we do not have the hardware, so do not expect
them to work perfectly.
o Windows NT4/2000: the packet driver works correctly
on Ethernet networks. We were not able to make it working
on PPP WAN links, because of binding problems on the
NDISWAN adapter. As in Win9x, FDDI, ARCNET, ATM and Token
Ring should be supported, but are not granted to work
perfectly.
...
I suspect FDDI and Token Ring will Just Work, as they're relatively
straightforward and have a standard frame format.
ATM, however, is another matter; the ATM code could just supply, for
example, raw AAL5 PDUs, or could supply a "pseudo-header" giving
information such as the VPI and VCI for the PDUs. Network Monitor
appears to have as the link-layer header for ATM captures, a 6-byte
"Destination address", a 6-byte "Source address", a 2-byte VPI, and a
2-byte VCI, and no information as to the type of traffic
(LLC-multiplexed, VC-multiplexed traffic of a particular type, LANE,
etc.).
> On the web I have seen that at least Linux would in theorie support
> Ethernet, ATM and PPP. Has anybody tried this with POS or ATM captures
> on W2K or any other OS?
It works fine on Solaris with ATM. I haven't tried ATM on other
platforms.
As for POS, if it just runs PPP over SONET, it should work on any OS
where you can capture PPP traffic.
