Ethereal-users: Re: [Ethereal-users] HELP - Only Broadcast Traffic

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 19 Jan 2005 10:10:39 -0800
ryanl@xxxxxxxxxx wrote:

Do I need to change the Link Layer header type in Ethereal ? It is grayed out (set to Ethernet) as of now.

If it's grayed out, you *can't* change it.

It's only changeable if libpcap/WinPcap allows it to be changed, and it doesn't do so on Windows, at least with the current version of WinPcap (at some point it'll probably support it - but only for use with Cisco cable modem equipment; see below).

That feature of libpcap was originally introduced to handle the way more BSD 802.11 drivers are being made to work over time - they default to providing packets with fake Ethernet headers (for compatibility with BPF-based applications that don't handle 802.11 headers), but also allow a particular application using BPF to request 802.11 headers instead. (Ethereal should probably default to 802.11 if the driver supports both 802.11 and Ethernet headers.)

That's not available on Windows - the way Windows 802.11 drivers work is that, if you can get anything from them at all (at least some Windows 802.11 drivers appear not to work in promiscuous mode, for example), you only get fake Ethernet headers, without being able to choose anything else.

That feature was also adapted for

1) the synchronous serial DAG cards from Endace - you can choose what link-layer header is being used on the serial line being tapped;

2) Cisco's feature wherein, on some of their cable modem head-end equipment (at the cable company, not at the subscriber site), they can mirror traffic onto an Ethernet, which they're just using for its framing capabilities - the actual packet data is DOCSIS, not Ethernet, i.e. it doesn't have the usual 14-byte Ethernet header, so you can, with recent versions of libpcap, choose DOCSIS rather than Ethernet, but doing so when you're not listening on a special private Ethernet plugged into their equipment is pointless.

Those capabilities are not in any current libpcap/WinPcap releases; they'll probably appear in some future release.

However, that wouldn't make a differenc here; changing the link-layer header won't affect whether the hardware will see the packets in question. This is probably an issue with the switch, or *perhaps* with the driver or some other software on the machine.