["Martin Regner" <martin.regner@xxxxxxxxx>]

Martin Regner wrote:
> Guy Harris wrote:
> > On Mon, Feb 16, 2004 at 12:48:08PM +0100, diaz_d1@xxxxxx wrote:
> > > I'm trying to analize BGP session over ATM but I get "network type 13
> > > unknown".
> >
> > On what OS did you run tcpdump?
> >
> > A network capture type of 13 means different things on different OSes.
> >
> > In FreeBSD and NetBSD, it means DLT_SLIP_BSDOS, which is a libpcap
> > encapsulation of SLIP that's used in BSD/OS - but FreeBSD and NetBSD
> > don't use that encapsulation and don't generate captures of that sort,
> > and DLT_SLIP_BSDOS is 15, not 13, in BSD/OS.
> >
> > In BSD/OS, 13 is DLT_ATM_RFC1483, for traffic encapsulated over ATM AAL5
> > as per RFC 1483.
> >
> > In OpenBSD, it's DLT_ENC, which I think is some sort of encapsulation
> > used for decrypted IPsec traffic.
> >
>
> diaz_d1 enclosed a sample capture with his mail.
>
> I think it looked like LLC header AA-AA-03 (i.e. SNAP header), but with
four
> bytes before the LLC header.
>
> I guess that it is DLT_ATM_RFC1483 but with four extra bytes first.

Maybe it is captured with some special Nokia tcpdump version.

When I modified the linktype value that Ethereal supports the Summary info
said "Nokia libpcap (tcpdump)".

If I remove the four first octets for each packet (by using text2pcap) and
set linktype to 100 then I see LLC-SNAP/IP/GTP/IP/.. packets
that looks reasonable, but they are truncated due to a too short snapshot
length (the  "-s" option could be used to use a greater snapshot length
when capturing with tcpdump).