ryanl@xxxxxxxxxx wrote:
Do I need to change the Link Layer header type in Ethereal ? It is
grayed out (set to Ethernet) as of now.
If it's grayed out, you *can't* change it.
It's only changeable if libpcap/WinPcap allows it to be changed, and it
doesn't do so on Windows, at least with the current version of WinPcap
(at some point it'll probably support it - but only for use with Cisco
cable modem equipment; see below).
That feature of libpcap was originally introduced to handle the way more
BSD 802.11 drivers are being made to work over time - they default to
providing packets with fake Ethernet headers (for compatibility with
BPF-based applications that don't handle 802.11 headers), but also allow
a particular application using BPF to request 802.11 headers instead.
(Ethereal should probably default to 802.11 if the driver supports both
802.11 and Ethernet headers.)
That's not available on Windows - the way Windows 802.11 drivers work is
that, if you can get anything from them at all (at least some Windows
802.11 drivers appear not to work in promiscuous mode, for example), you
only get fake Ethernet headers, without being able to choose anything else.
That feature was also adapted for
1) the synchronous serial DAG cards from Endace - you can choose what
link-layer header is being used on the serial line being tapped;
2) Cisco's feature wherein, on some of their cable modem head-end
equipment (at the cable company, not at the subscriber site), they can
mirror traffic onto an Ethernet, which they're just using for its
framing capabilities - the actual packet data is DOCSIS, not Ethernet,
i.e. it doesn't have the usual 14-byte Ethernet header, so you can, with
recent versions of libpcap, choose DOCSIS rather than Ethernet, but
doing so when you're not listening on a special private Ethernet plugged
into their equipment is pointless.
Those capabilities are not in any current libpcap/WinPcap releases;
they'll probably appear in some future release.
However, that wouldn't make a differenc here; changing the link-layer
header won't affect whether the hardware will see the packets in
question. This is probably an issue with the switch, or *perhaps* with
the driver or some other software on the machine.