Hi,
I have some packets that are ATM LLC/SNAP
encapsulated. When I feed these into Wireshark with
the link type code 100, Wireshark does not decode the
entire packet correctly.
For e.g., the following OSPF packet -
0000 00 00 08 00 00 02 00 7f aa aa 03 00 00 00 08 00
0010 45 c0 00 40 aa d8 00 00 01 59 8b c7 c0 01 01 01
0020 c0 01 01 02 02 01 00 2c c0 01 01 01 00 00 00 00
0030 3b 9d 00 00 00 00 00 00 00 00 00 00 ff ff ff 00
0040 00 0a 02 00 00 00 00 28 00 00 00 00 00 00 00 00
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060 00 00 00 48 a5 c5 81 97
is decoded into -
Frame 1 (relevant info),
Logical-Link Control -> DSAP, IG Bit, SSAP, CR Bit,
Control field, and 100 bytes of data.
If the packet is edited to get rid of the first 8
octets (packet now starts at "aa aa") then it is
decoded correctly.
Questions -
1. Is this the expected behavior? Should we only
expect correct decodes if we start at the LLC part?
2. If this is the expected behavior, then is there any
other link type code that will get me proper decodes
for the above dump (without chopping off the ATM
header that is).
3. If answer to (2) is "no other link code", then is
it possible to introduce a new link type code to
decode the above correctly?
Thanks,
Niru
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
