On Nov 8, 2015, at 8:33 AM, Edgar Petrov <[email protected]> wrote:
> I am writing a dissector in Lua and I want to dissect ethernet packets where
> the EtherType field is actually the length (0 - 1500) and not a
> recognized/registered EtherType.
According to IEEE 802.3, the 2 octet field following the destination and source
address fields is a type/length field, with values in the range 0 to 1500 being
length values and values above 1536 being type values (and values from 1501 to
1535 being invalid).
So do you mean:
1) I want to dissect packets in which the type/length field is in the
range 0 - 1500, so that it's a length field, and in which the length field is
followed by an 802.2 LLC header
or
2) I want to dissect packets in which the type/length field has a value
in the range 0 - 1500 but in which the value is an Ethernet type, in violation
of the IEEE spec?
In case 1), your packets presumably either have an 802.2 SAP value assigned to
them, which is used as the DSAP, or have a SNAP OUI and PID assigned to them;
there are ways to handle them, but we need to know which of those two it is.
In case 2), there really isn't a way to handle that (and whoever's sending
those packets really shouldn't be doing that, as it goes against the spec!).
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
