Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header
From: Aleksander Veksler <[email protected]>
Date: Fri, 7 Sep 2007 11:03:17 +0200
Siterer Joerg Mayer <[email protected]>:

On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote:
Anyone have tips on how you loose a few bytes? I get 12 bytes between
the Ethernet header and IP header. This means that wireshark does not
recognize the IP header as, and I can't use any of the wireshark's
advanced features.

Anyone know how to get rid of those bytes, or perhaps what they are?
* My card is Intel Pro/Wireless 3945ABG
* The wireless switch is D-Link DIR-635
* The problem only happens in promiscuous mode, and only to the
packets not directed to my computer
* I attach picture of a window of a sample http packet
* Please help :)
Actually it looks like this packet might have a third mac at the beginning:
Is the length of 02 d7 really correct? Sending a packet would have
helped more than the image you sent and have been smaller.
After the third mac it looks to me that there is an ordinary LLC/SNAP
The LLC dissector attempted to dissect the first 4 bytes, right after ethernet length. Again, I will have to send full data on Monday.
Thank you for the help!

Joerg Mayer                                           <[email protected]>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
Wireshark-users mailing list
[email protected]