I made a MS Network Monitor 2.x capture (using netcap from MS'
support tools). I noticed the capture ended with a "netmon train"
frame. What is this used for?
Frame 88 (144 bytes on wire, 144 bytes captured)
Arrival Time: Nov 23, 2004 12:13:17.281000000
Time delta from previous packet: -29.740234000 seconds
Time since reference or first frame: -12.265625000 seconds
Frame Number: 88
Packet Length: 144 bytes
Capture Length: 144 bytes
IEEE 802.3 Ethernet
Destination: 00:00:00:00:00:00 (00:00:00_00:00:00)
Source: 00:00:00:00:00:00 (00:00:00_00:00:00)
Length: 130
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Encapsulated Ethernet (0x000000)
Type: Netmon Train (0x1984)
Data (122 bytes)
0000 24 4d 53 54 00 00 00 00 67 00 00 00 5c 00 20 00 $MST....g...\. .
0010 00 00 ca cc c5 01 00 00 00 00 57 00 00 00 38 75 ..........W...8u
0020 00 00 57 00 00 00 38 75 00 00 00 00 00 00 00 00 ..W...8u........
0030 00 00 57 00 00 00 38 75 00 00 00 00 00 00 01 00 ..W...8u........
0040 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 00 00 ........../.....
0050 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ................
0060 ff ff ff ff ff ff 00 00 00 00 99 28 bb 00 00 00 ...........(....
0070 00 00 2a 00 00 00 2a 00 00 00 ..*...*...
Note the negative times. Doesn't look right.
--gv