Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sometimes SLL/Linux cooked-mode capture is decoded and sometimes its not (difference between two packets?)

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Thu, 7 Jun 2018 23:40:15 +0200
Hi Michael,

Le jeu. 7 juin 2018 à 23:32, Michael Lum <michael.lum () starsolutions com> a
écrit :


Hi,

I've attached two captures with a single packet in each.

They are both supposed to be syslog events injected into the capture with
SLL (Linux cooked capture).

On one everthing is decoded as expected in the other with the same first
16 octets it is detected as
Ethernet II only.

I cannot figure out why they are not both decoded as SLL/Linux cooked-mode
captures.

Any thoughts would be greatly appreciated.

I'm running on Windows 7 using Wireshark 2.6.1.
The capture was taken on a CentOs 7 box by a tool injecting the "fake"
syslog message.



This comes from the encapsulation type stored in the pcap file: one is
using 25 (Linux coooked capture) while the other one is using 1 (ethernet).
So something is wrong with the tool used to capture the second pcap.
You can fix the file with the following command: editcap -T linux-sll
sll-not_detected.pcap sll-not_detected_fixed.pcap




Best regards,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: