Wireshark mailing list archives

Sometimes SLL/Linux cooked-mode capture is decoded and sometimes its not (difference between two packets?)

From: Michael Lum <michael.lum () starsolutions com>
Date: Thu, 7 Jun 2018 14:31:48 -0700

Hi,

I've attached two captures with a single packet in each.

They are both supposed to be syslog events injected into the capture with SLL (Linux cooked capture).

On one everthing is decoded as expected in the other with the same first 16 octets it is detected as
Ethernet II only.

I cannot figure out why they are not both decoded as SLL/Linux cooked-mode captures.

Any thoughts would be greatly appreciated.

I'm running on Windows 7 using Wireshark 2.6.1.
The capture was taken on a CentOs 7 box by a tool injecting the "fake" syslog message.

BR,

Michael

Michael Lum (michael.lum () starsolutions com<mailto:michael.lum () starsolutions com>) | STAR 
SOLUTIONS<http://www.starsolutions.com/> | Principal Software Engineer
4600 Jacombs Road, Richmond BC, Canada V6V 3B1 | +1.604.303.2315

Attachment: sll-not_detected.pcap
Description: sll-not_detected.pcap

Attachment: sll-detected.pcap
Description: sll-detected.pcap

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Sometimes SLL/Linux cooked-mode capture is decoded and sometimes its not (difference between two packets?) Michael Lum (Jun 07)
- Re: Sometimes SLL/Linux cooked-mode capture is decoded and sometimes its not (difference between two packets?) Pascal Quantin (Jun 07)
  - Re: Sometimes SLL/Linux cooked-mode capture is decoded and sometimes its not (difference between two packets?) Michael Lum (Jun 12)