I used bittwiste to remove the first 12 bytes of the attached packet capture that included a variety of traffic, and you'll see that some packets are fine, but others, such as 4, 7, 8, etc are not.
Can anyone make sense of it? Regards, Frank -----Original Message----- From: Bill Meier [mailto:[EMAIL PROTECTED] Sent: Saturday, March 01, 2008 12:13 PM To: [EMAIL PROTECTED]; Community support list for Wireshark Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow Frank Bulk wrote: > > Ethernet hdr specifying type 0x0800 [IP] > 0000 00 12 79 63 1a 8c 00 30 b6 53 00 06 08 00 > > 20 unknown (to me) bytes > 0000 b6 53 > 0010 00 08 00 01 4a 9e 0e 06 88 64 11 00 00 06 00 3e > 0020 00 21 > > looks like a good ip hdr & icmp payload > 0020 45 00 .................................... > 0030 ................................................ > 0040 ................................................ > 0050 ............................................ > > OK: (Learning as I go) It turns out that it appears that what's really going on is that there's an extra 12 bytes of ethernet destination/source at the beginning of the packet. If I strip those, I get what appears to be the original frame (see attached). So: I it seems that the ethernet src/dest at the beginning is (as you said) the MAC of the switch tap src and (presumably) the dest is the MAC of your wireshark PC. Interesting....
bittwiste_output.pcap
Description: Binary data
ip_traffic-export(more).pcap
Description: Binary data
_______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
