Hello List, I'm trying to enable some people to read some captures in libpcap format directly without having to change the binary capture packet first. The packet was captureed using Cisco's ERSPAN feature. In their infinite wisdom, the engineers who implemented that feature chose a dlt-value of 0x71. What is the best way to handle that situation? Doesn someone else use pcap version 2.4 or could that be a way to find out whether it's some Cisco specific stuff oder the regular WTAP_ENCAP_SLL?
I'll attach the packet and what I've found out about the packet format so far. ciao Joerg -- Joerg Mayer <[EMAIL PROTECTED]> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.
msfc-capture.pcap
Description: application/cap
[EMAIL PROTECTED]:~/work/wireshark/infos/cisco/msfc-capture> xxd msfc-capture.pcap 0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000 <-- pcap header 0000010: ffff 0000 0000010: 7100 0000 <-- 0x71 (DLT_TYPE) = linux_cooked_capture (of course not) 0000010: 7507 f845 11d1 0500 <-- pcap record header 0000020: 7a00 0000 7a00 0000 0000020: 0000 030a 0000 0000 0000030: 0000 0000 0000030: 0000 88be <-- GRE header 0000030: 1002 0001 0000 0380 <-- ERSPAN header (01: erspan-id) 0000040: 00d0 b7a7 7480 0015 c721 75c0 0800 4500 <-- Ethernet packet 0000050: 0054 0000 4000 ff01 67a5 0aff ff03 0aff 0000060: ff01 0000 3c44 0810 0078 7507 f845 17cf 0000070: 0500 dead babe dead babe dead babe dead 0000080: babe dead babe dead babe dead babe dead 0000090: babe dead babe dead babe dead babe dead 00000a0: babe rfc2784: 2.1. GRE Header The GRE packet header has the form: 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |C| Reserved0 | Ver | Protocol Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum (optional) | Reserved1 (Optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a008069952a.html For ERSPAN packets, the âprotocol typeâ field value in the GRE header is 0x88BE.
_______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev