We are trying to add support to ethereal for data captured off a CDMA 1x data network.
Most of the packets we capture contain PPP encapsulated in HDLC framing. Instead of the usual 0x880b identifier for PPP we get 0x8881. So far, we've modified ethereal to accept this value and strip off the HDLC framing and almost all of our packets are decoded correctly.
However, every so often we receive three packets in a row that look like the one below. The strange thing about this packet is that there is no HDLC framing, and the encapsulated IP packet seems to be truncated.
This is happening to about 20% of the packets that we are sniffing. We've tried it with several different sniffers (Network Associates Sniffer and Agilent Advisor) on a highly loaded network and on a test network with minimal load and get the same results.
Does anyone have any ideas on how (or if) we can decode the data? We're not sure if the data is some symptom of a problem on the network or just a symptom of how limited our knowledge of the protocol is.
Frame 765 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 08:00:3e:03:02:01, Dst: 00:07:4f:87:90:1c
Internet Protocol, Src Addr: 10.160.31.69 (10.160.31.69), Dst Addr: 10.160.31.107 (10.160.31.107)
Generic Routing Encapsulation
Point-to-Point Protocol
Protocol: IP (0x0021)
Internet Protocol
Version: 0
Header length: 8 bytes (bogus, must be at least 20)
00 07 4f 87 90 1c 08 00 3e 03 02 01 08 00 45 00
00 30 1d 68 00 00 40 2f 09 48 0a a0 1f 45 0a a0
1f 6b 20 00 88 81 00 00 00 91
Encapsulated IP packet:
21 02 01 00 10 02
06 00 2d 0f 00 03 06 0a a0 1f 63 64 08 7e fe 11
d3 01