Ethereal-users: Re: [Ethereal-users] Problems Importing TCPDUMP Output intoEthereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 11 Mar 2004 01:38:27 -0800
On Mon, Apr 14, 2003 at 10:14:54PM +0100, Martin Regner wrote:
> Certain Symantec Enterprise Firewall and Raptor firewall versions
> seems to include a special windows port of tcpdump and the following
> webpage explain a few things about that tcpdump version.  However not
> enough information needed to support the captures made with that tcpdump
> version (libpcap files with link layer type 99).

Thanks a lot, Axent, for taking a new link-layer type value without
telling tcpdump.org about it or telling anybody what the format was.

Somebody sent a capture to the Ethereal list from that firewall; the
link-layer header appears to have 6 bytes of unknown data, 2 bytes of
what appears to be an Ethernet type value, and 36 bytes of what appears
to be zeroes.

I've checked in changes to read those files in Ethereal, under the
assumption that the header does contain that.  Those changes will be in
the next Ethereal release, whenever that comes out (I don't know when
that will be).

I've also checked in libpcap and tcpdump changes to read them.

> The information on Symantecs homepage is very limited, but indicates
> that "link layer headers are not available" when using that tcpdump
> version.

Those pages no longer appear to be available - or the URLs contain some
per-session information so that they don't work.  Is there any way that
somebody without a support account for the firewall can get to those
pages using some URL that doesn't contain any session IDs?

> It seems that the capture Richard sent
> (http://www.ethereal.com/lists/ethereal-users/200304/msg00137.html)
> contained ip-packets with some kind of packet header after the normal
> libpcap packet header. 
> The extra packet header looked the same for all packets in that file
> (88 AE C8 78 00 00 08 00 00 00 00 00 00 00 00 00 ...  00 00 00 00) and
> it was easy to make an Analyzer (http://analyzer.polito.it) LFF-file
> that just discards those octets and set the link layer type to Raw IP.

As per the above, I suspect the 08 00 is an Ethernet type.
I sent the LFF file to Richard together with a converted capture a
couple of days ago, and today he confirmed that the tcpdump program came
with the Raptor firewall.