On Jul 7, 2004, at 10:44 AM, Claudio Lavecchia wrote:
Writing a packet dissector based on pcap libraries on Linux and using
it to sniff traffic going through a WLAN (dell truemobile 1150 with
orinoco driver) card I noticed a really strange behaviour. The card is
set in promiscous mode, and I used Ethereal to dump the sniffed
packets in a user-friendly way to further investigate what was going
on.
What I observe is that the card sniffs packet that follow either the
802.3 (RFC 1042) encapsulation or the ethernet (RFC 894)
encapsulation,
In Ethereal, do these look like Ethernet packets (6-byte destination
address, 6-byte source address, 2-byte type/length field) or do they
look like 802.11 packets (2-byte frame control field with a type and
flags byte, 2-byte duration field, 6-byte destination addres, 6-byte
source address, etc.)?
If they look like 802.11 packets, the ones using Ethernet encapsulation
might be sent by some bridges that forward Ethernet packets inside
802.11 packets. The standard encapsulation for 802.11 is the RFC 1042
encapsulation, with an 802.2 header.
If they look like Ethernet packets, that's because the card or the
driver is converting 802.11 packets into fake Ethernet packets, and
they might map packets not using SNAP with an OUI of 0 into RFC
1042-style packets.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
