>>> Bill Meier <wmeier@xxxxxxxxxxx> 2008-03-02 09:28 >>>
> On additional note: Looking at the packets in the longer capture it
> appears to me that some are messed up in different ways from the first.
> In addition there are a few packets which seem to have had all the PPOE
> stuff stripped so that they look like good packets in the original capture.
Here's perhaps a different way to look at these files....
Using Wireshark's new "custom" column feature create a column
for the filter "ip.version". If you then sort the trace by this new
"ip.version" column you will notice that there are five values.
Could Cisco's "fixup" mentioned in an earlier message simply be
looking at the offset of where the ip.version field would be located
in a "normal" frame to make a determination on how to parse/correct
the record?
In the sample trace ip_traffic-export(more).pcap (which contained 179)
frames I saw the following five IP version values:
ip.version==0
ip.version==1
ip.version==4
ip.version==5
ip.version==11
Only the frames with "ip.version==4" dissected in expected manner! ;-)
At a minimum, using these filters could make it easier to generate subset
trace files which can then be post-processed with different rules by
bittwiste and then combined back together mergecap for further
analysis within Wireshark.