Toralf Förster wrote: > Hi, > > thank's for your reply > >> have you had an opportunuty to see what actually goes through the wire? > Unfortunately not :-(
It appears, from the packets you sent in your other message (which would've been less confusing if you'd sent it as a reply to your own message) that the PPPoE header, as captured, is bogus; it claims that the payload length is 14 bytes, not 1294 bytes. I don't know whether that's because the payload length is really wrong on the wire, or because the Linux PPPoE implementation just tweaks the PPPoE header in-place before the packet gets handed to the socket layer (and thus to libpcap and thus tcpdump/Wireshark/whatever program is capturing). I would not be in the least surprised to find that it's the latter, as we've had problems with captures done on Linux before this, for the same reason. I thought there was copy-on-write logic that would prevent modified-in-place packets from being handed to programs capturing traffic, but I guess it either doesn't exist or isn't being used. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
