ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Unexpected Capture Results

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Josh Anderson" <netconsultkc@xxxxxxxxx>
Date: Wed, 25 Jun 2008 14:30:30 -0500
I agree in principle. But somehow I pulled this off the wire. I am working with a Nortel VoIP environment and during the time of the capture, the switch is reporting that it is receiving MAC Pause Frames from the phone (which I mirrored to the port connected to the laptop running Wireshark). I was wondering if it would be possible that these frames could be those pause frames that have somehow been manipulated by the NIC or the NIC driver on the laptop and turned in to what is captured here. I'm not sure if that is even a possibility, but if it is, does anyone know of a more reliable way that I can pull that traffic off of the wire?

On 6/25/08, Andreas Fink <afink@xxxxxxxxxxxxx> wrote:
what worries me more is that all frames have ethernet addresses 00:00:00:00:00:00 . Somehow this can not be ethernet.

 

On 25.06.2008, at 01:59, Josh Anderson wrote:

I am not sure if this is the appropriate place to ask this question, but I pulled a capture off of a mirror port on an unfamiliar network, and I was trying to understand some of the traffic I found. I pulled out the packets in question and they are available here:
http://rapidshare.de/files/39822342/capture.pcap.html (Wasn't sure if attachments were "allowed" and I didn't have anywhere else to post this).
 
Anyways, Wireshark analyzes these packets as Fibre Channel packets, however this capture was taken from an standard 10/100 Ethernet environment and my limited understanding of Fibre Channel tells me that Fibre Channel over Ethernet should have a Ethertype of 0x8906. I do not see that Ethertype in this capture, in fact, it appears that the Ethertype is 0x0000. So, I am trying to figure out how Wireshark is determining that these are Fibre Channel packets and, if they are not actually FC packets, what kind of traffic this really is (if it truly is Fibre Channel, I'm going to have to look a lot harder for the NAS since I haven't found one as of yet). I can also provide a 50meg capture of all traffic that I filtered this from if that is helpful.
 
Any assistance is greatly appreciated!
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users

 

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube