Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2671] ERF dissector defaults to RAW

Date: Tue, 1 Jul 2008 20:23:16 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2671





--- Comment #3 from Stephen Donnelly <stephen@xxxxxxxxxx>  2008-07-01 20:23:15 PDT ---
(In reply to comment #2)
> > erf.erfatm=atm
> 
> Is "raw ATM", with pseudo-header information, the most likely case for ATM
> traffic captured on a DAG card?

ATM appears to call erf_atm_guess_traffic_type, and heuristically guess traffic
type, then calls "atm_untruncated". The LLC option calls the "llc" dissector,
which is presumably single purpose.

The current default of RAW does not attempt any further decoding, is this
better?

> > erf.erfhdlc=chdlc
> 
> Why Cisco HDLC rather than, say, PPP?  Is Cisco HDLC more likely than PPP?

The relative likelyhood probably depends on the link type, chdlc seems more
common at higher rates in my experience. Lower rate might be PPP, but it might
also be Frame Relay, or others.

> Should we have a "generic HDLC" dissector that uses heuristics to try to guess
> what type of traffic is being encapsulated in the HDLC framing, if possible?

Yes, it would probably be better to take a heuristic approach to deciding which
dissector to use, although this should be overrideable via preferences.

> > erf.erfeth=ethfcs
> 
> Is the most likely case that the FCS is included in the frame?  If it's
> sufficiently likely that the FCS isn't included, we could perhaps use the
> "Ethernet and try to guess whether there's an FCS" dissector (which is the
> default for DLT_EN10MB, as some machines - including the one on which I'm
> typing this - include the FCS on incoming frames).

As the primary source of ERF traces is DAG cards, I can say that Ethernet with
FCS is by far the most likely scenario. Ethernet DAG cards normally capture the
FCS, although some models allow the optional stripping of the FCS. The FCS
could also be stripped during post-processing.

If there is a dissector which can guess if the FCS is present it may be
preferable.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.