Muzalina Zakaria wrote:
Sorry to email directly instead of using the ethereal-users.
You didn't send directly, you mailed to ethereal-users - which is good,
as people shouldn't be sending me questions directly; there's no
guarantee that I'll be able to answer them, but if they ask the list
they're more likely to find somebody who can.
I did captures on my GPRS link i.e. I connected my cell phone thru USB
port to my laptop. When I open the capture file, in the Packet Details
pane, I got the protocol layers - Frame>Ethernet>IP>TCP>FTP (I did an
FTP file transfer). Why do I get Frame and Ethernet protocol layers as
I am doing capture on PPP on the link layer?
You *always* get the Frame layer in Ethereal. It's put in there by
Ethereal to report information such as the packet time stamps.
If the OS running on your laptop is Windows, the networking stack
includes a module called NDISWAN, which takes received PPP (or SLIP, I
think) packets and transforms them into Ethernet packets before
supplying them to the rest of the networking stack. The older versions
of WinDump, and all versions of WinDump on Windows OT (95, 98, Me)
capture over PPP links with a driver that attaches to the networking
stack at a place where it receives packets from NDISWAN, so it sees
packets that look like Ethernet packets. WinPcap 3.1 beta uses, on
Windows NT (NT 4.0, 2000, XP, Server 2003), Microsoft's "Bloodhound"
(Network Monitor) driver to capture on PPP links; I don't know whether
that driver receives packets from NDISWAN or manages to get PPP packets.
Therefore, the packets Ethereal sees, when capturing on a PPP link on
Windows, probably look like Ethernet packets, and therefore are
dissected as Ethernet packets.
