Wireshark
the world's foremost network protocol analyzer
Wireshark-users: Re: [Wireshark-users] wireshark or linux kernel netfilter issue
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 02 Sep 2007 15:17:26 -0700
Toralf Förster wrote:
Hi, thank's for your replyhave you had an opportunuty to see what actually goes through the wire?Unfortunately not :-(
It appears, from the packets you sent in your other message (which would've been less confusing if you'd sent it as a reply to your own message) that the PPPoE header, as captured, is bogus; it claims that the payload length is 14 bytes, not 1294 bytes.
I don't know whether that's because the payload length is really wrong on the wire, or because the Linux PPPoE implementation just tweaks the PPPoE header in-place before the packet gets handed to the socket layer (and thus to libpcap and thus tcpdump/Wireshark/whatever program is capturing).
I would not be in the least surprised to find that it's the latter, as we've had problems with captures done on Linux before this, for the same reason. I thought there was copy-on-write logic that would prevent modified-in-place packets from being handed to programs capturing traffic, but I guess it either doesn't exist or isn't being used.
- Prev by Date: Re: [Wireshark-users] Experimental WireShark version with user interface list and remote capture (RPCAP) support
- Next by Date: Re: [Wireshark-users] Experimental WireShark version with user interface list and remote capture (RPCAP) support
- Previous by thread: Re: [Wireshark-users] Experimental WireShark version with user interface list and remote capture (RPCAP) support
- Next by thread: Re: [Wireshark-users] Wireshark MPEG-4
- Index(es):