Martin Regner wrote: > Guy Harris wrote: > > On Mon, Feb 16, 2004 at 12:48:08PM +0100, [EMAIL PROTECTED] wrote: > > > I'm trying to analize BGP session over ATM but I get "network type 13 > > > unknown". > > > > On what OS did you run tcpdump? > > > > A network capture type of 13 means different things on different OSes. > > > > In FreeBSD and NetBSD, it means DLT_SLIP_BSDOS, which is a libpcap > > encapsulation of SLIP that's used in BSD/OS - but FreeBSD and NetBSD > > don't use that encapsulation and don't generate captures of that sort, > > and DLT_SLIP_BSDOS is 15, not 13, in BSD/OS. > > > > In BSD/OS, 13 is DLT_ATM_RFC1483, for traffic encapsulated over ATM AAL5 > > as per RFC 1483. > > > > In OpenBSD, it's DLT_ENC, which I think is some sort of encapsulation > > used for decrypted IPsec traffic. > > > > diaz_d1 enclosed a sample capture with his mail. > > I think it looked like LLC header AA-AA-03 (i.e. SNAP header), but with four > bytes before the LLC header. > > I guess that it is DLT_ATM_RFC1483 but with four extra bytes first.
Maybe it is captured with some special Nokia tcpdump version. When I modified the linktype value that Ethereal supports the Summary info said "Nokia libpcap (tcpdump)". If I remove the four first octets for each packet (by using text2pcap) and set linktype to 100 then I see LLC-SNAP/IP/GTP/IP/.. packets that looks reasonable, but they are truncated due to a too short snapshot length (the "-s" option could be used to use a greater snapshot length when capturing with tcpdump). _______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users
