LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-14-2005, 02:53 AM   #1
anubhuti_k
LQ Newbie
 
Registered: Oct 2004
Location: India
Distribution: Suse 9.1
Posts: 29

Rep: Reputation: 15
captured packet in ethereal


hi all

when i capture packets using in ethereal it shows four fields
1) source mac add
2) destination mac add
3) protocol type
4) trailer (not significant)

this structure shown confirms to the header file - /usr/include/netinet/if_ethernet.h

but when a particular packet is captured whose protocol type is NBIPX, then it does not show protocol type at ethernet layer instead it shows length field..

my problem is that how etherreal is able to extract length at ethernet layer when there is no such field in the structure defined in the header file.
 
Old 01-14-2005, 06:31 AM   #2
cowanrl
Member
 
Registered: Dec 2004
Location: Western Pennsylvania, USA
Distribution: Red Hat
Posts: 150

Rep: Reputation: 15
There are several different Ethernet frame formats that carry slightly different header fields.

The Ethernet_2 frame format has these fields:

Preamble, Destination Address, Source Address, Type, Data and CRC.

The 802.3 frame format has these fields:

Preamble, Destination Address, Source Address, Length, Data and CRC.

To carry TCP/IP, the ethernet frame must have the type field. This is why the Ethernet_2 frame format is used almost exclusively today.
In the days when NetWare was king and most networks carried IPX/SPX, the 802.3 frame format was used. Since the protocol Ethereal detected is NBIPX, then the 802.3 frame format could be used.

Since the value for all protocol types is greater than 1500(Novell's IPX is #8137), it's very easy for Ethereal to detect that the 4th field is a length field, not a type field. The greatest legal size for an Ethenet packet is 1500.

Years ago it was an issue to be sure to select the proper frame format for your network. I can't remember the last time I had to make that choice though. Probably the last time I set up a NetWare server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i read the data in the packet that i have captured after packet capture? gajaykrishnan Programming 23 04-19-2006 05:09 AM
[ethereal] why 50% packet are go missing dalmassoc Linux - Networking 2 11-30-2005 03:05 AM
'funny' smtp conversation captured w Ethereal tom_from_van Linux - Security 2 07-20-2005 05:04 PM
Ethereal Packet capture Help sucram2g Linux - Networking 2 07-20-2005 12:35 PM
What is the best way to view data captured in packets with Ethereal? abefroman Linux - Security 4 05-07-2005 01:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration