Frank Bulk wrote:
Ethernet hdr specifying type 0x0800 [IP]
0000 00 12 79 63 1a 8c 00 30 b6 53 00 06 08 00
20 unknown (to me) bytes
0000 b6 53
0010 00 08 00 01 4a 9e 0e 06 88 64 11 00 00 06 00 3e
0020 00 21
looks like a good ip hdr & icmp payload
0020 45 00 ....................................
0030 ................................................
0040 ................................................
0050 ............................................
OK: (Learning as I go)
It turns out that it appears that what's really going on is that there's
an extra 12 bytes of ethernet destination/source at the beginning of the
packet.
If I strip those, I get what appears to be the original frame (see
attached).
So: I it seems that the ethernet src/dest at the beginning is (as you
said) the MAC of the switch tap src and (presumably) the dest is the MAC
of your wireshark PC.
Interesting....
Attachment:
zila.pcap
Description: Binary data