On Tue, Mar 01, 2005 at 10:19:25AM +0100, Eric Leblond wrote: | Hi, | | I had to dump some RFC2684 atm bridge interfaces for a customer. We | often have some strange messages : | 09:09:43.262575 77:9c:7d:60:8:0 c:3f:b4:8:0:0 4500 401: | 0183 df1d 0000 7111 96fb 527f 2537 d50b | 858f 7325 18ca 016f 36a5 474e 4403 aa2e | 0101 789c 9ba2 c714 e861 e421 e01e daa8 | fedc d6ea ef23 d5bb d353 7f85 fa3d 13f7 | 60f3 730c aa57 353f 25e1 c012 16e4 18e5 | e8c1 | It seems tcpdump looses the link header (2bytes) and that consequently | the whole packet reading is shift. We've found that because we know that | the source mac address is : | 00:00:77:9c:7d:60 | Furthermore, the protocol is 0800 thus explaining the last 2 bytes of | the MAC address. | | Same problem occurs when testing it on an ATM clip interface. | | This is weird but it does only occur on some packets mainly TCP one (as | we can guess from packet content) other are correctly parsed. | | Is this a known problem ?
can you send me the binary .pcap file that contains such a frame and i'll have a look - /hannes - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
