Ethereal-dev: Re: [Ethereal-dev] Broken WellFleet packet-types/DLT types ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 19 Dec 2002 13:36:11 -0800
On Thu, Dec 19, 2002 at 01:15:06PM -0800, Richard Sharpe wrote:
> The first 7 bytes of the capture file contained the words TRSNIFF,

Actually, that's just the standard DOS Sniffer magic number
"TRSNIFF data    \x1a", which is used for all DOS Sniffer captures
regardless of the link-layer type.

WAN point-to-point captures have a link-layer type that says only
whether it's a synchronous or asynchronous capture; the sync captures,
at least, also have, in at least some versions of the file, an
indication of the type of traffic, but one of the traffic types is
"Bridge/Router", which covers a number of different HDLC-style
protocols, including PPP, Cisco HDLC, Wellfleet point-to-point,
apparently LAPB (the fact that there's another traffic type "HDLC",
which is also used for LAPB, nonwithstanding - I think I've seen LAPB
traffic in both "HDLC" and "Bridge/Router" captures), and, annoyingly,
ISDN (the fact that NAI have different types of hardware capture pods
for ISDN and other serial traffic, and therefore that the sniffer knows
whether it's ISDN or not, nonwithstanding.