Wireshark · Ethereal-users: Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)

Ethereal-users: Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Thu, 31 Oct 2002 21:53:29 -0800

On Thu, Oct 31, 2002 at 09:05:12PM -0800, Guy Harris wrote:
> If your POS is just running PPP over SONET, then a libpcap POS capture
> would have either DLT_PPP or perhaps DLT_PPP_BSDOS as the link-layer
> type;

...except on Windows, where it'd have DLT_EN10MB as the link-layer type,
as the way PPP works on Windows is that there's an intermediate driver
called NDISWAN that translates incoming PPP packets to fake Ethernet
packets before they're handed to the rest of the networking stack and
translates outgoing fake Ethernet packets to PPP packets before they're
handed to the low-level driver.

Therefore, PPP captures *on Windows* will look like Ethernet packets,
complete with fake source and destination addresses, so Ethereal will
dissect them as starting with MAC destination and source addresses
because they *do* start with fake MAC destination and source addresses.

References:
- [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)
  - From: mrmartin1903
- Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)
  - From: Guy Harris

Prev by Date: Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)
Previous by thread: Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)
Next by thread: [Ethereal-users] Weird Data
Index(es):
- Date
- Thread