Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header
From: Aleksander Veksler <veksler@xxxxxxxxxxxx>
Date: Thu, 20 Sep 2007 01:23:27 +0200
Hello again guys,Sorry for the delay. The procedure Sake Block recommended didn't work. I first thought it was because there was a trailer, so I tried with trailer sized 1,2,3 and four (see the packet to see why), but this didn't work.
There seem to be a bug in DLT_USER configuration page, which make random characters appear in the "payload" field (it seem to me the characters are coming from the capture, but I am not sure. I attach a screenshot, can make more if you need it.
I also attached a sample http packet. I found a packet with as much clear text as possible, tell me if you need more. This particlular packet was not classified as LLC, but many others were.
Thank you again for your help. Aleksander Siterer Aleksander Veksler <veksler@xxxxxxxxxxxx>:
Siterer Joerg Mayer <jmayer@xxxxxxxxx>:On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote:Anyone have tips on how you loose a few bytes? I get 12 bytes between the Ethernet header and IP header. This means that wireshark does not recognize the IP header as, and I can't use any of the wireshark's advanced features. Anyone know how to get rid of those bytes, or perhaps what they are? * My card is Intel Pro/Wireless 3945ABG * The wireless switch is D-Link DIR-635 * The problem only happens in promiscuous mode, and only to the packets not directed to my computer * I attach picture of a window of a sample http packet * Please help :)Actually it looks like this packet might have a third mac at the beginning: Is the length of 02 d7 really correct? Sending a packet would have helped more than the image you sent and have been smaller. After the third mac it looks to me that there is an ordinary LLC/SNAP header.The LLC dissector attempted to dissect the first 4 bytes, right after ethernet length. Again, I will have to send full data on Monday. Thank you for the help!Ciao Joerg -- Joerg Mayer <jmayer@xxxxxxxxx> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users_______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
�ò� �� ��F � � ~�� �.I�� �� E Ԋ�@ +TB�R�� P�j�ڶ� C�P^�o EEEEE; color: #FFFFFF; font: 11px verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif; white-space: nowrap; } .vbmenu_hilite a:link { color: #000000; text-decoration: none; } .vbmenu_hilite a:visited { color: #000000; text-decoration: none; } .vbmenu_hilite a:hover, .vbmenu_hilite a:active { color: #000000; text-decoration: none; } /* ***** styling for 'big' usernames on postbit etc. ***** */ .bigusername { font-size: 14pt; } /* ***** small padding on 'thead' elements ***** */ td.thead, div.thead { padding: 4px; } /* ***** basic styles for multi-page nav elements */ .pagenav a { text-decoration: none; } .pagenav td { padding: 2px 4px 2px 4px; } /* ***** define margin and font-size for elements inside panels ***** */ .fieldset { margin-bottom: 6px; } .fieldset, .fieldset td, .fieldset p, .fieldset li { font-size: 11px; } .navbluebg { background: #5F6A79 url(skynetimages/misc/navbluebg.gif) repeat-x top left; color: #FFFFFF; font: bold 10px verdana, arial, helvetica; } .footerblue { background: #5F6A79 url(skynetimages/misc/footerblue.gif) repeat-x top left; color: #FFFFFF; font: bold 10px verdana, arial, helvetica; } /* ***** don't change the following ***** */ form { display: inline; } label { cursor: default; } .normal { font-weight: normal; } .inlineimg { vertical-align: middle; } --> </style> <!-- / CSS Stylesheet --> <script typ)=�8
Attachment:
bug_1.PNG
Description: PNG image
Attachment:
bug_2.PNG
Description: PNG image
- Follow-Ups:
- Re: [Wireshark-users] 12 bytes before the IP header
- From: Small, James
- Re: [Wireshark-users] 12 bytes before the IP header
- References:
- [Wireshark-users] 12 bytes before the IP header
- From: Aleksander Veksler
- Re: [Wireshark-users] 12 bytes before the IP header
- From: Joerg Mayer
- Re: [Wireshark-users] 12 bytes before the IP header
- From: Aleksander Veksler
- [Wireshark-users] 12 bytes before the IP header
- Prev by Date: Re: [Wireshark-users] fragmented IP packets
- Next by Date: Re: [Wireshark-users] 12 bytes before the IP header
- Previous by thread: Re: [Wireshark-users] 12 bytes before the IP header
- Next by thread: Re: [Wireshark-users] 12 bytes before the IP header
- Index(es):
- Get Wireshark
- Download
- Code of Conduct