Hi,
LINKTYPE_ATM_RFC1483 expects the LLC header right away, that's why it
doesn't work.
What's that 8 byte header? (Port,VP,VC?)
What you could do is to change the file to use one of the USER_DLTs
(147-162) and in the DLT_USER preferences assign llc to it and a
header size of 8.
\L
On Tue, Apr 22, 2008 at 7:33 AM, Nirupama Sankaranarayanan
<nirupama76@xxxxxxxxx> wrote:
> Hi,
>
> I have some packets that are ATM LLC/SNAP
> encapsulated. When I feed these into Wireshark with
> the link type code 100, Wireshark does not decode the
> entire packet correctly.
>
> For e.g., the following OSPF packet -
>
> 0000 00 00 08 00 00 02 00 7f aa aa 03 00 00 00 08 00
> 0010 45 c0 00 40 aa d8 00 00 01 59 8b c7 c0 01 01 01
> 0020 c0 01 01 02 02 01 00 2c c0 01 01 01 00 00 00 00
> 0030 3b 9d 00 00 00 00 00 00 00 00 00 00 ff ff ff 00
> 0040 00 0a 02 00 00 00 00 28 00 00 00 00 00 00 00 00
> 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0060 00 00 00 48 a5 c5 81 97
>
> is decoded into -
> Frame 1 (relevant info),
> Logical-Link Control -> DSAP, IG Bit, SSAP, CR Bit,
> Control field, and 100 bytes of data.
>
> If the packet is edited to get rid of the first 8
> octets (packet now starts at "aa aa") then it is
> decoded correctly.
>
> Questions -
>
> 1. Is this the expected behavior? Should we only
> expect correct decodes if we start at the LLC part?
>
> 2. If this is the expected behavior, then is there any
> other link type code that will get me proper decodes
> for the above dump (without chopping off the ATM
> header that is).
>
> 3. If answer to (2) is "no other link code", then is
> it possible to introduce a new link type code to
> decode the above correctly?
>
> Thanks,
> Niru
>
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan