Re: Libpcap :: 802.3 and Ethernet headers

[Andrew Brown <atatat () atatdot net>]

> Hopefully this is not an obvious question,
>
> Am looking at the headers from 802.3 and Ethernet (RFC 894).  My question
> is:  Off the wire how does one, libpcap for example, differenciate between
> 802.3 and Ethernet encapsulation?

iirc, you look at the two bytes in the ethernet header where the two
formats differ, and if you have 05dc or less, it's "ethernet" (since
that's the largest value you could have as a length), and if it's more
than 05dc, then it's a type specifier.

there are two conflicts with this, xerox pup (type 0200) and nixdorf
(type 0400), but i don't expect you'll see those.

if you want to look up any random specifier on the fly, use dig (or
host) thusly:

   % host -t txt 0800.ec.graffiti.com
   0800.ec.graffiti.com text "DOD Internet Protocol (IP) (Ethernet.txt)"
   0800.ec.graffiti.com text "Internet IP (IPv4) (ethernet-numbers)"
   % host -t txt 0806.ec.graffiti.com
   0806.ec.graffiti.com text "Address Resolution Protocol (ARP) (for IP and for CHAOS) (Ethernet.txt)"
   0806.ec.graffiti.com text "ARP (ethernet-numbers)"

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
werdna () squooshy com       * "information is power -- share the wealth."
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe