On Mon, Sep 29, 2008 at 1:15 PM, Pat Kujawa
<pat.kujawa+wireshark@xxxxxxxxxxxx> wrote:
... snip ...
In reading through packet-eth.c, it seems that the ethernet type is being determined by checking a length field, but I don't understand where that field is coming from ("etype = pntohs(&pd[offset+12])").
... snip ...
ISTR When I had to do this myself about 20 years ago, something along the lines of:
If the length was a valid length Ie. less than the 1500 bytes allowed, then it was an Ethernet II packet,
and that 802.3 packet types started with enumerations that were larger than a valid packet size.