I used bittwiste to remove the first 12 bytes of the attached packet capture
that included a variety of traffic, and you'll see that some packets are
fine, but others, such as 4, 7, 8, etc are not.
Can anyone make sense of it?
Regards,
Frank
-----Original Message-----
From: Bill Meier [mailto:wmeier@xxxxxxxxxxx]
Sent: Saturday, March 01, 2008 12:13 PM
To: frnkblk@xxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
Frank Bulk wrote:
>
> Ethernet hdr specifying type 0x0800 [IP]
> 0000 00 12 79 63 1a 8c 00 30 b6 53 00 06 08 00
>
> 20 unknown (to me) bytes
> 0000 b6 53
> 0010 00 08 00 01 4a 9e 0e 06 88 64 11 00 00 06 00 3e
> 0020 00 21
>
> looks like a good ip hdr & icmp payload
> 0020 45 00 ....................................
> 0030 ................................................
> 0040 ................................................
> 0050 ............................................
>
>
OK: (Learning as I go)
It turns out that it appears that what's really going on is that there's
an extra 12 bytes of ethernet destination/source at the beginning of the
packet.
If I strip those, I get what appears to be the original frame (see
attached).
So: I it seems that the ethernet src/dest at the beginning is (as you
said) the MAC of the switch tap src and (presumably) the dest is the MAC
of your wireshark PC.
Interesting....
Attachment:
bittwiste_output.pcap
Description: Binary data
Attachment:
ip_traffic-export(more).pcap
Description: Binary data