> Hmmm, a little experimentation, producing a Null capture with my little
> program shows me that Ethereal already understands a capture file that
> starts with
>
> 0xFF000800
>
> as long as it is set as a NULL ENCAP type in the Wiretap file ...
"dissect_null()" would:
not see 0xFF followed by 0x03, and not think of it as PPP;
extract the first four octets as a 32-bit integer, giving:
on a big-endian machine, 0xFF000800;
on a little-endian machine, 0x000800FF;
check whether the upper 16 bits are zero and, if not, byte swap
it, giving:
on a big-endian machine, 0x000800FF;
on a little-endian machine, 0xFF000800;
see that it's bigger than an IEEE_802_3_MAX_LEN, infer that it
must have been a Linux loopback packet as munged by "libpcap",
with 0x0000 followed by an ethertype, and hand it to
"ethertype()" with an offset of 4 - "ethertype()" would grab the
2 bytes before that offset and treat it as an Ethernet type, so,
on a little-endian machine, it'd happen to do the right thing.
However, that's by accident rather than by design (and, I think, would
work only on a little-endian machine).
Any idea how the file in question was captured before being turned into
a "tcpdump" file?
