Frank Bulk wrote:
Ethernet hdr specifying type 0x0800 [IP] 0000 00 12 79 63 1a 8c 00 30 b6 53 00 06 08 00 20 unknown (to me) bytes 0000 b6 53 0010 00 08 00 01 4a 9e 0e 06 88 64 11 00 00 06 00 3e 0020 00 21 looks like a good ip hdr & icmp payload 0020 45 00 .................................... 0030 ................................................ 0040 ................................................ 0050 ............................................
OK: (Learning as I go) It turns out that it appears that what's really going on is that there'san extra 12 bytes of ethernet destination/source at the beginning of the packet.
If I strip those, I get what appears to be the original frame (see attached).
So: I it seems that the ethernet src/dest at the beginning is (as you said) the MAC of the switch tap src and (presumably) the dest is the MAC of your wireshark PC.
Interesting....
zila.pcap
Description: Binary data
_______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
