Hello
list,
Writing a packet
dissector based on pcap libraries on Linux and using it to sniff traffic going
through a WLAN (dell truemobile 1150 with orinoco driver) card I noticed a
really strange behaviour. The card is set in promiscous mode, and I used
Ethereal to dump the sniffed packets in a user-friendly way to further
investigate what was going on.
What I observe
is that the card sniffs packet that follow either the 802.3 (RFC 1042)
encapsulation or the ethernet (RFC 894) encapsulation, which is somewhat
surprising, as I would expect that only one of those two
encapsulations (ethernet?) would be used.
Furthermore, trough
ethereal I could see that the "suspect" packets that are encapsulated using the
802.3 encapsulation carry LLC protocol traffic and seem to be originated,
according to the source MAC address that I see in
ethereal, by another WLAN card of the same type. The odd thing is that
the device in which this card is plugged in is switched off at the moment I
execute the capture!
Can anyone turn the
light on for me, please?
Claudio
