Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Fun with Cisco DLT-value usage

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Thu, 15 Mar 2007 19:55:33 +0100
Hello List,

I'm trying to enable some people to read some captures in libpcap format
directly without having to change the binary capture packet first. The
packet was captureed using Cisco's ERSPAN feature. In their infinite
wisdom, the engineers who implemented that feature chose a dlt-value of
0x71. What is the best way to handle that situation? Doesn someone else
use pcap version 2.4 or could that be a way to find out whether it's
some Cisco specific stuff oder the regular WTAP_ENCAP_SLL?

I'll attach the packet and what I've found out about the packet format
so far.

 ciao
      Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.

Attachment: msfc-capture.pcap
Description: application/cap

jmayer@egg:~/work/wireshark/infos/cisco/msfc-capture> xxd msfc-capture.pcap
0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000 <-- pcap header
0000010: ffff 0000
0000010:           7100 0000 <-- 0x71 (DLT_TYPE) = linux_cooked_capture (of course not)
0000010:                     7507 f845 11d1 0500 <-- pcap record header
0000020: 7a00 0000 7a00 0000 
0000020:                     0000 030a 0000 0000
0000030: 0000 0000
0000030:           0000 88be <-- GRE header
0000030:                     1002 0001 0000 0380 <-- ERSPAN header (01: erspan-id)
0000040: 00d0 b7a7 7480 0015 c721 75c0 0800 4500 <-- Ethernet packet
0000050: 0054 0000 4000 ff01 67a5 0aff ff03 0aff
0000060: ff01 0000 3c44 0810 0078 7507 f845 17cf
0000070: 0500 dead babe dead babe dead babe dead
0000080: babe dead babe dead babe dead babe dead
0000090: babe dead babe dead babe dead babe dead
00000a0: babe


rfc2784:
2.1. GRE Header

   The GRE packet header has the form:

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |C|       Reserved0       | Ver |         Protocol Type         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      Checksum (optional)      |       Reserved1 (Optional)    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a008069952a.html

For ERSPAN packets, the “protocol type” field value in the GRE header is 0x88BE.