Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Sat, 1 Mar 2008 11:45:37 -0600
"00 30 b6 53 00 06" is the MAC address of the Cisco Ethernet port that's
sending the traffic out to my workstation running Wireshark.  The first few
unknown bytes are part of the MAC address of the Cisco.

The next bytes are unclear to me.

Frank

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bill Meier
Sent: Saturday, March 01, 2008 11:24 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

Frank Bulk wrote:
> Thanks for your willingness to look at this.  I'm glad to have a tool like
> Wireshark because I can't interpret the raw packets. =)
>
> Attached are three ping packets that my Wireshark PC caught.  The info
line
> complains "Bogus IP length (8, less than header length 24)".
>

I see an extra 20 bytes between the ethernet header and the ip header;
I'm not knowledgeable enough to know what those bytes are. (I'll
certainly be interested to see the determination as to what they are).


Ethernet hdr specifying type  0x0800 [IP]
0000  00 12 79 63 1a 8c 00 30  b6 53 00 06 08 00

20 unknown (to me) bytes
0000                                             b6 53
0010  00 08 00 01 4a 9e 0e 06  88 64 11 00 00 06 00 3e
0020  00 21

looks like a good ip hdr & icmp payload
0020        45 00 ....................................
0030  ................................................
0040  ................................................
0050  ............................................


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users