Wireshark · Ethereal-dev: Re: [Ethereal-dev] Broken Wellfleet LAPB captures ...

[Guy Harris <guy@xxxxxxxxxx>]

On Thu, Dec 19, 2002 at 02:13:01PM -0800, Richard Sharpe wrote:
> On Thu, 19 Dec 2002, Guy Harris wrote:
> 
> > RFC 1547 suggests that it merely has an Ethernet type; are you saying
> > that a full Ethernet header, complete with destination and source MAC
> > addresses, follows the first two bytes?
> 
> Yes, every frame in the capture sent to me contains:
> 
>   07 03 ab cd ef gh ij kl mn op qr st uv wx 08 00 45 ...

Sigh.

I guess we can use 0x07 0x03 as an indicator of Wellfleet PPP, for now. 
I'd modify "infer_pkt_encap()" to take a pointer to the first octet of
the packet, and the number of octets in the packet, as arguments, and
have it check for:

	0xff 0x03 = PPP
	0x07 0x03 = Wellfleet HDLC
	0x08 0x00 or 0x8F 0x00 = Cisco HDLC (although RFC 1547 says, in
	    "4.3.1 Cisco Systems point-to-point protocols", "the second
	    octet (control byte) is left zero *and is not checked on
	    reception*, so we *might* have to remove the check of the
	    second octet at some point)
	0x34 or 0x28 as the first octet - Frame Relay
	anything else with the low-order bit set in the first byte = LAPB
	anything else = LAPD (ISDN)

If there's ever Wellfleet PPP traffic that doesn't start with 0x07 (or
if somebody finds a document specifying the Wellfleet PPP format), we'll
have to rethink that.