On Nov 8, 2015, at 8:33 AM, Edgar Petrov <edgar@xxxxxxxxxxxxxxxxx> wrote:
> I am writing a dissector in Lua and I want to dissect ethernet packets where the EtherType field is actually the length (0 - 1500) and not a recognized/registered EtherType.
According to IEEE 802.3, the 2 octet field following the destination and source address fields is a type/length field, with values in the range 0 to 1500 being length values and values above 1536 being type values (and values from 1501 to 1535 being invalid).
So do you mean:
1) I want to dissect packets in which the type/length field is in the range 0 - 1500, so that it's a length field, and in which the length field is followed by an 802.2 LLC header
or
2) I want to dissect packets in which the type/length field has a value in the range 0 - 1500 but in which the value is an Ethernet type, in violation of the IEEE spec?
In case 1), your packets presumably either have an 802.2 SAP value assigned to them, which is used as the DSAP, or have a SNAP OUI and PID assigned to them; there are ways to handle them, but we need to know which of those two it is.
In case 2), there really isn't a way to handle that (and whoever's sending those packets really shouldn't be doing that, as it goes against the spec!).
