Wireshark-users: [Wireshark-users] Unexpected Capture Results
From: "Josh Anderson" <[email protected]>
Date: Tue, 24 Jun 2008 18:59:46 -0500
I am not sure if this is the appropriate place to ask this question, but I pulled a capture off of a mirror port on an unfamiliar network, and I was trying to understand some of the traffic I found. I pulled out the packets in question and they are available here:
http://rapidshare.de/files/39822342/capture.pcap.html (Wasn't sure if attachments were "allowed" and I didn't have anywhere else to post this).
Anyways, Wireshark analyzes these packets as Fibre Channel packets, however this capture was taken from an standard 10/100 Ethernet environment and my limited understanding of Fibre Channel tells me that Fibre Channel over Ethernet should have a Ethertype of 0x8906. I do not see that Ethertype in this capture, in fact, it appears that the Ethertype is 0x0000. So, I am trying to figure out how Wireshark is determining that these are Fibre Channel packets and, if they are not actually FC packets, what kind of traffic this really is (if it truly is Fibre Channel, I'm going to have to look a lot harder for the NAS since I haven't found one as of yet). I can also provide a 50meg capture of all traffic that I filtered this from if that is helpful.
Any assistance is greatly appreciated!