--- Begin Message ---
On May 7, 2020, at 12:04 AM, Francois-Xavier Le Bail via tcpdump-workers
<tcpdump-workers@lists.tcpdump.org> wrote:
> On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
>
>> "Looks like a valid Ethernet address" is defined as "the first three octets
>> appear in Wireshark's file giving manufacturer names for OUIs".
> What if the destination address is ff:ff:ff:ff:ff:ff (broadcast) for e.g. ARP
> request ?
> Or some multicast address ?
In this *particular* case, that test is done only if the uppermost nibble of
the uppermost octet is 0, so that would only be the case for the source
address, which is less likely to be a group address than the destination
address. There may be other places where that heuristic dissector is used,
however.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
