Ethernet Header length

[MohanR <mohan43u () gmail com>]

Hi,

I am trying to learn about packets using libpcap, and I already wrote a
program to dump packets using libpcap to stdout. This is one of the
packet which my program dumped,

[cl:76 l:76 t:20111224100136.841069] 00000000 00000000 00000011 00000100
00000000 00000110 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00001000 00000000 01000101 00000000 00000000 00111100
00100010 11110000 01000000 00000000 01000000 00000110 00011001 11001010
01111111 00000000 00000000 00000001 01111111 00000000 00000000 00000001
11001100 01111000 00010101 10110011 00110111 01000101 01000001 10101000
00000000 00000000 00000000 00000000 10100000 00000010 10000000 00011000
11111110 00110000 00000000 00000000 00000010 00000100 01000000 00001100
00000100 00000010 00001000 00001010 00000000 10001111 01100011 01011000
00000000 00000000 00000000 00000000 00000001 00000011 00000011 00000101 

I captured packets using linux's 'any' interface. At the time of
capturing, only 'lo' was active. I used 'nc' to generate packets on
'lo'.

> From http://wiki.wireshark.org/Ethernet#Packet_format I learnt that
ethernet header contains 14bytes and 13th and 14th bytes should contain
'ethertype'. But In my dump, I see that 'ethertype' is at 15th and 16th
bytes (00001000 00000000=0x0800) indicating that this is an IP packet.
It should have been appeared at 13th and 14th bytes.

Could you please explain what the first 2bytes indicates in the above
dump? I am just a noob, this is my first attempt to learn about networks
in packet level. Forgive me if it is a silly question.

Thanks,
Mohan R

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.