Hi,
I think I may have stumbled onto a wireshark bug (ethereal version
0.99.0, libpcap version 0.8.3 on RHEL4). An application on which I'm
working is receiving UDP packets over gigabit Ethernet from some custom
hardware. The packets have a fixed source and destination UDP port
number, which we had set to 12001 and 12000, respectively. Wireshark
shows an LLC header after the UDP header, which is simply not present;
see first attachment (bad.pcap). In the process of poking around a bit,
I changed the UDP port numbers to 12032 and 12048 in the pcap file, and
wireshark no longer reported the LLC header; see second attachment
(good.pcap). Unless I'm totally missing something about LLC (definite
possibility), this looks like a bug in wireshark or libpcap.
I'm not subscribed to this list, please send questions to me directly.
--
Martin
Attachment:
bad.pcap
Description: Binary data
Attachment:
good.pcap
Description: Binary data