Wireshark · Wireshark-users: [Wireshark-users] Layer 2 identification...

Wireshark-users: [Wireshark-users] Layer 2 identification...

From: barcaroller <barcaroller@xxxxxxxxx>

Date: Thu, 11 May 2017 16:29:05 -0400

I'm hoping someone can point me in the right direction.ï¿½ I have a PCAPfile where the packets do not have an Ethernet header; instead theyhave a PPP (Point-to-Point Protocol) header.


I have a few questions.

1. The PPP header I'm seeing in wireshark has the following structure:

ï¿½ï¿½ï¿½ Addressï¿½ï¿½ï¿½ï¿½ 0xFF (1 byte)
ï¿½ï¿½ï¿½ Controlï¿½ï¿½ï¿½ï¿½ 0x03 (1 byte)
ï¿½ï¿½ï¿½ Protocolï¿½ 0x0021 (2 bytes)
ï¿½ï¿½ï¿½ <...followed by IPv4...>

What happened to the 1-byte Flag field (usually set at 0x7E) whichindicates the beginning of the PPP frame?

2. Given that the flag field is missing, how was wireshark still ableto guess the proper format of the packet?ï¿½ The packet format is:


ï¿½ï¿½ï¿½ PPP
ï¿½ï¿½ï¿½ï¿½ï¿½ IPv4
ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ UDP/Teredo
ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ IPv6
ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ ICMPv6

3. Even if the flag field were present, how does wireshark usuallyidentify the type of Layer 2 header?ï¿½ Does it guess?

Prev by Date: [Wireshark-users] Decommissioning ftp.wireshark.org
Previous by thread: [Wireshark-users] Decommissioning ftp.wireshark.org
Index(es):
- Date
- Thread