Re: LLC protocol, ethereal and pcap libraries get along togheter?

[Guy Harris <guy () alum mit edu>]

On Jul 7, 2004, at 10:44 AM, Claudio Lavecchia wrote:

> Writing a packet dissector based on pcap libraries on Linux and using 
> it to sniff traffic going through a WLAN (dell truemobile 1150 with 
> orinoco driver) card I noticed a really strange behaviour. The card is 
> set in promiscous mode, and I used Ethereal to dump the sniffed 
> packets in a user-friendly way to further investigate what was going 
> on.
> What I observe is that the card sniffs packet that follow either the 
> 802.3 (RFC 1042) encapsulation or the ethernet (RFC 894) 
> encapsulation,

In Ethereal, do these look like Ethernet packets (6-byte destination 
address, 6-byte source address, 2-byte type/length field) or do they 
look like 802.11 packets (2-byte frame control field with a type and 
flags byte, 2-byte duration field, 6-byte destination addres, 6-byte 
source address, etc.)?

If they look like 802.11 packets, the ones using Ethernet encapsulation 
might be sent by some bridges that forward Ethernet packets inside 
802.11 packets.  The standard encapsulation for 802.11 is the RFC 1042 
encapsulation, with an 802.2 header.

If they look like Ethernet packets, that's because the card or the 
driver is converting 802.11 packets into fake Ethernet packets, and 
they might map packets not using SNAP with an OUI of 0 into RFC 
1042-style packets.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.