Wireshark-users: [Wireshark-users] bogus LLC header in UDP packet

From: Martin Pokorny <mpokorny@xxxxxxxx>
Date: Tue, 30 Jan 2007 14:11:39 -0700
Hi,

I think I may have stumbled onto a wireshark bug (ethereal version 0.99.0, libpcap version 0.8.3 on RHEL4). An application on which I'm working is receiving UDP packets over gigabit Ethernet from some custom hardware. The packets have a fixed source and destination UDP port number, which we had set to 12001 and 12000, respectively. Wireshark shows an LLC header after the UDP header, which is simply not present; see first attachment (bad.pcap). In the process of poking around a bit, I changed the UDP port numbers to 12032 and 12048 in the pcap file, and wireshark no longer reported the LLC header; see second attachment (good.pcap). Unless I'm totally missing something about LLC (definite possibility), this looks like a bug in wireshark or libpcap.

I'm not subscribed to this list, please send questions to me directly.

--
Martin

Attachment: bad.pcap
Description: Binary data

Attachment: good.pcap
Description: Binary data