Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Sat, 01 Mar 2008 13:13:12 -0500
Frank Bulk wrote:


Ethernet hdr specifying type  0x0800 [IP]
0000  00 12 79 63 1a 8c 00 30  b6 53 00 06 08 00

20 unknown (to me) bytes
0000                                             b6 53
0010  00 08 00 01 4a 9e 0e 06  88 64 11 00 00 06 00 3e
0020  00 21

looks like a good ip hdr & icmp payload
0020        45 00 ....................................
0030  ................................................
0040  ................................................
0050  ............................................




OK: (Learning as I go)

It turns out that it appears that what's really going on is that there's
an extra 12 bytes of ethernet destination/source at the beginning of the packet.
If I strip those, I get what appears to be the original frame (see attached).
So: I it seems that the ethernet src/dest at the beginning is (as you said) the MAC of the switch tap src and (presumably) the dest is the MAC of your wireshark PC. 

Interesting....

Attachment: zila.pcap
Description: Binary data