Ethereal-users: Re: [Ethereal-users] Doesn't Ethereal reads F.Relay?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 06 Sep 2004 20:25:40 -0700
The answer to the question in the subject line is "it reads *some* Frame Relay captures".

Roger wrote:

Capture file generated by: Bay Networks's Optivity Network Tap
Capture file format:       General Network Sniffer format
Device monitored:          Bay 5380 router
Interface where traffic was captured: WAN interface (Frame Relay)

I guess that the level 2 header of all of these packets has a Frame Relay NLPID (RFC 1490, 03CC), and not an Ethernet header.

When I open the file in Ethereal, all captured packets are displayed, but no useful information is shown: the Protocol column is always "LAPB", IP addresses and ports are not shown and the Info column says "Invalid LAPB frame".

The Sniffer file formats aren't fully documented (the old DOS Sniffer format was partially documented, but I don't think the WAN capture format was fully documented, and the newer Windows format isn't documented at all).

As such, we've had to guess how to determine the link-layer type of WAN Sniffer captures, and we've not yet found a 100% reliable way to determine it (assuming that there *is* a 100% reliable way to determine it!).

We'd have to see the capture file in order to figure out why Ethereal isn't recognizing it as a Frame Relay capture. It definitely knows that it's a WAN capture (the code knows how to recognize that) - it doesn't think it's an Ethernet capture, so it's not looking for an Ethernet header (it thinks it's an X.25 capture, as indicated by the "LAPB") - but it doesn't know what *type* of WAN capture it is.

Is there a way to correctly open this file in Ethereal? If there isn't, which sniffer or protocol analyzer may I try to open this file on a Windows PC?

Well, if it's in Sniffer format, presumably Sniffer will read it....