Re: Ethernet dissector in Lua

[Guy Harris <guy () alum mit edu>]

On Nov 8, 2015, at 8:33 AM, Edgar Petrov <edgar () asocsnetworks com> wrote:

> I am writing a dissector in Lua and I want to dissect ethernet packets where the EtherType field is actually the 
> length (0 - 1500) and not a recognized/registered EtherType.

According to IEEE 802.3, the 2 octet field following the destination and source address fields is a type/length field, 
with values in the range 0 to 1500 being length values and values above 1536 being type values (and values from 1501 to 
1535 being invalid).

So do you mean:

        1) I want to dissect packets in which the type/length field is in the range 0 - 1500, so that it's a length 
field, and in which the length field is followed by an 802.2 LLC header

or

        2) I want to dissect packets in which the type/length field has a value in the range 0 - 1500 but in which the 
value is an Ethernet type, in violation of the IEEE spec?

In case 1), your packets presumably either have an 802.2 SAP value assigned to them, which is used as the DSAP, or have 
a SNAP OUI and PID assigned to them; there are ways to handle them, but we need to know which of those two it is.

In case 2), there really isn't a way to handle that (and whoever's sending those packets really shouldn't be doing 
that, as it goes against the spec!).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe