I'm hoping someone can point me in the right direction.� I have a PCAP
file where the packets do not have an Ethernet header; instead they
have a PPP (Point-to-Point Protocol) header.
I have a few questions.
1. The PPP header I'm seeing in wireshark has the following structure:
��� Address���� 0xFF (1 byte)
��� Control���� 0x03 (1 byte)
��� Protocol� 0x0021 (2 bytes)
��� <...followed by IPv4...>
What happened to the 1-byte Flag field (usually set at 0x7E) which
indicates the beginning of the PPP frame?
2. Given that the flag field is missing, how was wireshark still able
to guess the proper format of the packet?� The packet format is:
��� PPP
����� IPv4
�������� UDP/Teredo
���������� IPv6
������������ ICMPv6
3. Even if the flag field were present, how does wireshark usually
identify the type of Layer 2 header?� Does it guess?