Good news: After one month of (slowly) working with Cisco's TAC the (third)
tech reproduced the problem.
I've asked Cisco to supply me a Bug ID.
Frank
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Friday, February 29, 2008 10:34 PM
T
al Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Monday, March 03, 2008 4:15 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
Good catch!
I used that i
ergecap.exe" -w "%1-repaired.pcap"
c:\temp\tmp-b-a.pcap c:\temp\tmp-b-b.pcap c:\temp\tmp-c.pcap
c:\temp\tmp-b-d.pcap
Regards,
Frank
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Young
Sent: Sunday, March 02, 2008 9:55 PM
To: Community support li
: Sake Blok [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 02, 2008 8:21 AM
To: [EMAIL PROTECTED]; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
On Sat, Mar 01, 2008 at 03:58:31PM -0600, Frank Bulk wrote:
>
shark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
On Sat, Mar 01, 2008 at 10:30:16AM -0600, Frank Bulk wrote:
> Thanks for your willingness to look at this. I'm glad to have a tool like
> Wireshark because I can't interpret the raw packets. =)
>
&g
ect: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
Frank Bulk wrote:
> Thanks! Did you use bittwiste with the '-D' option to remove the first 24
> bytes?
Actually: I did it the hard way using Wireshark export, an editor and
then text2pcap. :
Sake Blok wrote:
>
> I think it *is* a cisco bug...
>
> I tried to open the bug-tracker, but it seems to be offline at
> the moment. I think you should open a case with the Cisco-TAC
> for this issue. Feel free to use my analysis in the report.
> (if my assumptions on addresses were correct of
On Sat, Mar 01, 2008 at 03:58:31PM -0600, Frank Bulk wrote:
> I used bittwiste to remove the first 12 bytes of the attached packet capture
> that included a variety of traffic, and you'll see that some packets are
> fine, but others, such as 4, 7, 8, etc are not.
>
> Can anyone make sense of it?
On Sat, Mar 01, 2008 at 10:30:16AM -0600, Frank Bulk wrote:
> Thanks for your willingness to look at this. I'm glad to have a tool like
> Wireshark because I can't interpret the raw packets. =)
>
> Attached are three ping packets that my Wireshark PC caught. The info line
> complains "Bogus IP l
ailto:[EMAIL PROTECTED]
Sent: Saturday, March 01, 2008 12:13 PM
To: [EMAIL PROTECTED]; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
Frank Bulk wrote:
>
> Ethernet hdr specifying type 0x0800 [IP]
&g
Frank Bulk wrote:
> Thanks! Did you use bittwiste with the '-D' option to remove the first 24
> bytes?
Actually: I did it the hard way using Wireshark export, an editor and
then text2pcap. :)
(It's only the first 12 bytes that need to be removed).
>
> The "from" in your modified capt
From: Bill Meier [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 01, 2008 12:13 PM
To: [EMAIL PROTECTED]; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
Frank Bulk wrote:
>
> Ethernet hdr sp
Frank Bulk wrote:
Ethernet hdr specifying type 0x0800 [IP]
00 12 79 63 1a 8c 00 30 b6 53 00 06 08 00
20 unknown (to me) bytes
b6 53
0010 00 08 00 01 4a 9e 0e 06 88 64 11 00 00 06 00 3e
0020 00 21
looks like a good ip hdr & icmp payloa
EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Meier
Sent: Saturday, March 01, 2008 11:24 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
Frank Bulk wrote:
> Thanks for your willingn
Frank Bulk wrote:
> Thanks for your willingness to look at this. I'm glad to have a tool like
> Wireshark because I can't interpret the raw packets. =)
>
> Attached are three ping packets that my Wireshark PC caught. The info line
> complains "Bogus IP length (8, less than header length 24)".
>
]
Sent: Friday, February 29, 2008 10:40 PM
To: [EMAIL PROTECTED]; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:
> The packets are showing up in W
On Fri, Feb 29, 2008 at 09:40:27PM -0700, Stephen Fisher wrote:
> On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:
>
> > The packets are showing up in Wireshark my workstation, but the
> > packets aren't decoding to show that they are a ping. I see the
> > payload of the ping in the
On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:
> The packets are showing up in Wireshark my workstation, but the
> packets aren't decoding to show that they are a ping. I see the
> payload of the ping in the data section, but it's like the "ip traffic
> export" feature added anoth
18 matches
Mail list logo
