Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Funky packet, bad capture, bad display or what?

From: "John McDermott" <jjm@xxxxxxxxxx>
Date: Mon, 10 Jul 2006 10:52:54 -0600

A friend sent me a trace with this packet:
Frame 1 (78 bytes on wire, 78 bytes captured)
    Arrival Time: Jul  9, 2006 13:58:01.527266000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 78 bytes
    Capture Length: 78 bytes
Ethernet II, Src: 00:00:80:11:ea:96, Dst: 45:00:00:4e:91:fd
    Destination: 45:00:00:4e:91:fd (45:00:00:4e:91:fd)
    Source: 00:00:80:11:ea:96 (CrayComm_11:ea:96)
    Type: Unknown (0xa9fe)
Data (64 bytes)

0000  6a 0e a9 fe ff ff 00 89 00 89 00 3a c8 f8 e1 e0   j..........:....
0010  01 10 00 01 00 00 00 00 00 00 20 46 44 45 4e 46   .......... FDENF
0020  45 46 41 43 4f 46 4a 45 42 45 4f 45 45 45 46 46   EFACOFJEBEOEEEFF
0030  49 43 4f 46 43 46 46 43 41 41 41 00 00 20 00 01   ICOFCFFCAAA.. ..

First, the hex does not seem to match with the EthernetII decode. Second there were three of these in a row with incrementing MAC addresses. I am not sure what I am seeing, (and neither is Ethereal). My Ethereal decodes other frames correctly. Is it possible his capture is confused or what? Any ideas? (I do not know what version he has, but he said he downloaded it in the last few months.)

--john

--
John McDermott, CPLP, CCP
Writer, Educator, Consultant
jjm at jkintl.com        www.jkintl.com
V: +1 505/377-6293  F: +1 505/377-6313