Wireshark-users: Re: [Wireshark-users] wireshark or linux kernel netfilter issue

From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Sat, 21 Jul 2007 19:04:04 +0200
If you notice the PPPoE length on most outbound packets is wrong.

It may be calculated after being passed to the capture mechanism --
have you had an opportunuty to see what actually goes through the
wire?

In the case of packet 11 the payload length is  0x520 - 0x16 = 1290
and the IP header states it should be 1292.

If you capture the PPP negotiation, What's the negotiated MTU ?

I think that's a bug in the kernel (probably in the capture part) but
unless we see what goes through the wire we cannot be sure about
exactly what is wrong.

BTW I found another bug in packet 14 of kscd_ppp0.pcap, the HTTP
payload is not decoded!


On 7/20/07, Toralf Förster <toralf.foerster@xxxxxx> wrote:
I use at home an DSL connection. The sniffed network stream over the ppp0 interface looks fine whereas the sniffed packets from the eth0 often looks bad :-(

As an example I attached 2 pcap files with the communication of the KDE program kscd with the CDDB server freedb.org, sniffed from ppp0 and eth0.

I don't undestand why the ppp0 stream is ok, whereas the eth0 stream has the malformed package #11. Any explanation are appreciated.

--
MfG/Sincerely

Toralf Förster

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users





--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan