Hi Michael, Le jeu. 7 juin 2018 à 23:32, Michael Lum <[email protected]> a écrit :
> Hi, > > I've attached two captures with a single packet in each. > > They are both supposed to be syslog events injected into the capture with > SLL (Linux cooked capture). > > On one everthing is decoded as expected in the other with the same first > 16 octets it is detected as > Ethernet II only. > > I cannot figure out why they are not both decoded as SLL/Linux cooked-mode > captures. > > Any thoughts would be greatly appreciated. > > I'm running on Windows 7 using Wireshark 2.6.1. > The capture was taken on a CentOs 7 box by a tool injecting the "fake" > syslog message. > This comes from the encapsulation type stored in the pcap file: one is using 25 (Linux coooked capture) while the other one is using 1 (ethernet). So something is wrong with the tool used to capture the second pcap. You can fix the file with the following command: editcap -T linux-sll sll-not_detected.pcap sll-not_detected_fixed.pcap > Best regards, Pascal.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
