On Fri, Feb 29, 2008 at 09:40:27PM -0700, Stephen Fisher wrote:
> On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:
>
> > The packets are showing up in Wireshark my workstation, but the
> > packets aren't decoding to show that they are a ping. I see the
> > payload of the ping in the data section, but it's like the "ip traffic
> > export" feature added another header. But the documentation says,
> > "The unaltered IP packets are exported on a single LAN or VLAN
> > interface, thereby, easing deployment of protocol analyzers and
> > monitoring devices."
>
> I haven't used that feature before, but if you would like to attach a
> small capture file (2-3 packets) in a mail to the list, myself or
> someone else could have a look at what the router may be adding.
I hadn't used this feature before either, but it certainly got me
interested so I configured a router to do "ip traffic export".
Unfortunately my test-setup was limited so I could not route
traffic *trough* the box. But I was able to see the incoming
packets as they were forwarded to the wireshark-pc by the router.
No additional headers were present. So basically the L2 layer
was replaced by "<wireshark-pc-mac><cisco-router-mac>0800".
Could you indeed post a capture with a few frames that show the
extra header?
Cheers,
Sake