Wireshark-users: Re: [Wireshark-users] 12 bytes before the IP header
From: Aleksander Veksler <[email protected]>
Date: Thu, 20 Sep 2007 01:23:27 +0200
Hello again guys,

Sorry for the delay. The procedure Sake Block recommended didn't work. I first thought it was because there was a trailer, so I tried with trailer sized 1,2,3 and four (see the packet to see why), but this didn't work.
There seem to be a bug in DLT_USER configuration page, which make  
random characters appear in the "payload" field (it seem to me the  
characters are coming from the capture, but I am not sure. I attach a  
screenshot, can make more if you need it.
I also attached a sample http packet. I found a packet with as much  
clear text as possible, tell me if you need more. This particlular  
packet was not classified as LLC, but many others were.
Thank you again for your help.


Aleksander


Siterer Aleksander Veksler <[email protected]>:

Siterer Joerg Mayer <[email protected]>:

On Fri, Sep 07, 2007 at 12:23:54AM +0200, Aleksander Veksler wrote:
Anyone have tips on how you loose a few bytes? I get 12 bytes between
the Ethernet header and IP header. This means that wireshark does not
recognize the IP header as, and I can't use any of the wireshark's
advanced features.

Anyone know how to get rid of those bytes, or perhaps what they are?
* My card is Intel Pro/Wireless 3945ABG
* The wireless switch is D-Link DIR-635
* The problem only happens in promiscuous mode, and only to the
packets not directed to my computer
* I attach picture of a window of a sample http packet
* Please help :)
Actually it looks like this packet might have a third mac at the beginning:
Is the length of 02 d7 really correct? Sending a packet would have
helped more than the image you sent and have been smaller.
After the third mac it looks to me that there is an ordinary LLC/SNAP
header.
The LLC dissector attempted to dissect the first 4 bytes, right after
ethernet length. Again, I will have to send full data on Monday.

Thank you for the help!


 Ciao
       Joerg
--
Joerg Mayer                                           <[email protected]>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users



_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users


òF~.IEԊ@+TBR
Pjڶ	CP^oEEEEE;
	color: #FFFFFF;
	font: 11px verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif;
	white-space: nowrap;
}
.vbmenu_hilite a:link
{
	color: #000000;
	text-decoration: none;
}
.vbmenu_hilite a:visited
{
	color: #000000;
	text-decoration: none;
}
.vbmenu_hilite a:hover, .vbmenu_hilite a:active
{
	color: #000000;
	text-decoration: none;
}
/* ***** styling for 'big' usernames on postbit etc. ***** */
.bigusername { font-size: 14pt; }

/* ***** small padding on 'thead' elements ***** */
td.thead, div.thead { padding: 4px; }

/* ***** basic styles for multi-page nav elements */
.pagenav a { text-decoration: none; }
.pagenav td { padding: 2px 4px 2px 4px; }

/* ***** define margin and font-size for elements inside panels ***** */
.fieldset { margin-bottom: 6px; }
.fieldset, .fieldset td, .fieldset p, .fieldset li { font-size: 11px; }

.navbluebg
{
	background: #5F6A79 url(skynetimages/misc/navbluebg.gif) repeat-x top left;
	color: #FFFFFF;
	font: bold 10px verdana, arial, helvetica;
}
.footerblue
{
	background: #5F6A79 url(skynetimages/misc/footerblue.gif) repeat-x top left;
	color: #FFFFFF;
	font: bold 10px verdana, arial, helvetica;
}

/* ***** don't change the following ***** */
form { display: inline; }
label { cursor: default; }
.normal { font-weight: normal; }
.inlineimg { vertical-align: middle; }
-->
</style>

<!-- / CSS Stylesheet -->

<script typ)=8

Attachment: bug_1.PNG
Description: PNG image

Attachment: bug_2.PNG
Description: PNG image