--- Begin Message ---
On 07/05/2020 09:17, Guy Harris wrote:
>> On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
>>
>>> "Looks like a valid Ethernet address" is defined as "the first three octets
>>> appear in Wireshark's file giving manufacturer names for OUIs".
>> What if the destination address is ff:ff:ff:ff:ff:ff (broadcast) for e.g.
>> ARP request ?
>> Or some multicast address ?
> In this *particular* case, that test is done only if the uppermost nibble of
> the uppermost octet is 0, so that would only be the case for the source
> address, which is less likely to be a group address than the destination
> address. There may be other places where that heuristic dissector is used,
> however.
Ok.
What if the first nibble is <> de 4, 6, 1, 0, e.g. 'f' like the first f of
ff:ff:ff:ff:ff:ff ?
--
Francois-Xavier
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
