>Hopefully this is not an obvious question, > >Am looking at the headers from 802.3 and Ethernet (RFC 894). My question >is: Off the wire how does one, libpcap for example, differenciate between >802.3 and Ethernet encapsulation?
iirc, you look at the two bytes in the ethernet header where the two formats differ, and if you have 05dc or less, it's "ethernet" (since that's the largest value you could have as a length), and if it's more than 05dc, then it's a type specifier. there are two conflicts with this, xerox pup (type 0200) and nixdorf (type 0400), but i don't expect you'll see those. if you want to look up any random specifier on the fly, use dig (or host) thusly: % host -t txt 0800.ec.graffiti.com 0800.ec.graffiti.com text "DOD Internet Protocol (IP) (Ethernet.txt)" 0800.ec.graffiti.com text "Internet IP (IPv4) (ethernet-numbers)" % host -t txt 0806.ec.graffiti.com 0806.ec.graffiti.com text "Address Resolution Protocol (ARP) (for IP and for CHAOS) (Ethernet.txt)" 0806.ec.graffiti.com text "ARP (ethernet-numbers)" -- |-----< "CODE WARRIOR" >-----| [EMAIL PROTECTED] * "ah! i see you have the internet [EMAIL PROTECTED] (Andrew Brown) that goes *ping*!" [EMAIL PROTECTED] * "information is power -- share the wealth." - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
