Guy Harris wrote:
>There is code to attempt to nandle them, which makes some assumptions
>that might not be true (i.e., that FDDI iptrace files look like Ethernet
>iptrace files, only with a different encapsulation type and with the raw
>Ethernet data replaced by raw FDDI data; perhaps, for example, they put
>1 or 3 bytes of padding in front of the raw FDDI data to align it
>better).
Guy is correct.
There seems to be 3 bytes of padding in front of the raw FDDI data (50 10 00 5a ...)
0000 00 1c 36 50 10 00 5a b8 67 dd 10 00 5a b8 51 fa ..6P..Z.g...Z.Q.
0010 aa aa 03 00 00 00 08 00 45 00 00 72 75 e9 00 00 ........E..ru...
0020 3c 06 ae d2 ab 15 01 cf ab 15 01 d1 02 01 03 ff <...............
0030 e5 64 36 45 e8 39 c1 4d 50 18 3e bc 0d 75 00 00 .d6E.9.MP.>..u..
0040 30 35 31 33 2d 30 35 39 20 54 68 65 20 69 70 74 0513-059 The ipt
0050 72 61 63 65 20 53 75 62 73 79 73 74 65 6d 20 68 race Subsystem h
0060 61 73 20 62 65 65 6e 20 73 74 61 72 74 65 64 2e as been started.
0070 20 53 75 62 73 79 73 74 65 6d 20 50 49 44 20 69 Subsystem PID i
0080 73 20 31 39 34 36 34 2e 0d 0a s 19464...
====( 138 bytes transmitted on interface fi0 )==== 10:22:46.456412160
FDDI packet
FDDI MAC header:
frame control field = 50
[ src = 10:00:5a:b8:51:fa, dst = 10:00:5a:b8:67:dd]
802.2 LLC header:
dsap aa, ssap aa, ctrl 3, proto 0:0:0, type 800 (IP)
IP header breakdown:
< SRC = 171.21.1.207 > (splu9005.td.klm.nl)
< DST = 171.21.1.209 > (splu9002.td.klm.nl)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=114, ip_id=30185, ip_off=0
ip_ttl=60, ip_sum=aed2, ip_p = 6 (TCP)
:
:
(if_type=0F, IFT_FDDI ==> WTAP_ENCAP_FDDI_BITSWAPPED).
Regards,
Martin