Wireshark · Ethereal-users: Re: [Ethereal-users] Bad protocol id?

[Guy Harris <gharris@xxxxxxxxx>]

Terry Shaw wrote:

> I'm seeing the following frames on my router, but they are not 802.3 
> frames even though the protocol id is 0x0070 and being interpreted as 
> 802.3 length field. I can see PPPOE and IP headers in the frame. How do 
> I "force" ethereal to interpret this frame as an ethernet II frame and 
> decode the encapsulated protocols correctly?

Any Ethernet frame that has 0x00 0x70 in the type/length field is 
incapable of being decoded "correctly" if interpreted as an Ethernet II 
frame, as there *IS* no valid Ethernet type value of 0x0070.  Values 
less than 1536 in the type/length field are not valid type values.

Ethereal has no mechanism that forces it to interpret packets with 
values less than 1500 as Ethernet II frames.  (1500 rather than 1536 
because there's a range 1500-1535 where the 802.3 spec doesn't indicate 
whether the field is to be interpreted as a type field rather than a 
length field; I guess Ethereal could just report that as an invalid packet.)

If packets of that sort are being transmitted by some hardware or 
software on your network, perhaps the forcing that should be done is 
forcing that hardware or software to leave your network, and forcing 
whoever developed it to read a recent version of the IEEE 802.3 
specification, paying special attention to the "Length/Type field" 
section of the "Media access control frame structure" chapter.

If, instead, the packet is being transmitted correctly, but whatever OS 
you're running or whatever Ethernet driver you're running on the machine 
on which you're running Ethereal is "helpfully" mangling the packet, the 
forcing that should be done is forcing it to stop doing that; you'd have 
to ask the vendor of the OS or the driver how to do that, if it's possible.