[tcpdump-workers] LLC protocol, ethereal and pcap libraries get along togheter?

2004-07-07 Thread Claudio Lavecchia 
Title: Message



Hello 
list,
 
Writing a packet 
dissector based on pcap libraries on Linux and using it to sniff traffic going 
through a WLAN (dell truemobile 1150 with orinoco driver) card I noticed a 
really strange behaviour. The card is set in promiscous mode, and I used 
Ethereal to dump the sniffed packets in a user-friendly way to further 
investigate what was going on.
What I observe 
is that the card sniffs packet that follow either the 802.3 (RFC 1042) 
encapsulation or the ethernet (RFC 894) encapsulation, which is somewhat 
surprising, as I would expect that only one of those two 
encapsulations (ethernet?) would be used. 
Furthermore, trough 
ethereal I could see that the "suspect" packets that are encapsulated using the 
802.3 encapsulation carry LLC protocol traffic and seem to be originated, 
according to the source MAC address that I see in 
ethereal, by another WLAN card of the same type. The odd thing is that 
the device in which this card is plugged in is switched off at the moment I 
execute the capture!
 
Can anyone turn the 
light on for me, please?
 
Claudio

Re: [tcpdump-workers] LLC protocol, ethereal and pcap libraries get along togheter?

2004-07-07 Thread Guy Harris 
On Jul 7, 2004, at 10:44 AM, Claudio Lavecchia wrote:
Writing a packet dissector based on pcap libraries on Linux and using 
it to sniff traffic going through a WLAN (dell truemobile 1150 with 
orinoco driver) card I noticed a really strange behaviour. The card is 
set in promiscous mode, and I used Ethereal to dump the sniffed 
packets in a user-friendly way to further investigate what was going 
on.
What I observe is that the card sniffs packet that follow either the 
802.3 (RFC 1042) encapsulation or the ethernet (RFC 894) 
encapsulation,
In Ethereal, do these look like Ethernet packets (6-byte destination 
address, 6-byte source address, 2-byte type/length field) or do they 
look like 802.11 packets (2-byte frame control field with a type and 
flags byte, 2-byte duration field, 6-byte destination addres, 6-byte 
source address, etc.)?

If they look like 802.11 packets, the ones using Ethernet encapsulation 
might be sent by some bridges that forward Ethernet packets inside 
802.11 packets.  The standard encapsulation for 802.11 is the RFC 1042 
encapsulation, with an 802.2 header.

If they look like Ethernet packets, that's because the card or the 
driver is converting 802.11 packets into fake Ethernet packets, and 
they might map packets not using SNAP with an OUI of 0 into RFC 
1042-style packets.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.