>So is there any technical reason *not* to dissect the frame by: > > if that octet doesn't have the upper 6 bits as 010101, report it as an >error; > > if that octet is 0x55, show it as a preamble octet, and treat the frame >as not encrypted; > > if that octet is 0x54, report it as an error, as encryption is disabled >but the security octet is *not* 0x55; > > if that octet is 0x56, report it as "encryption enabled, key ID 0", and >treat the frame as encrypted; > > if that octet is 0x57, report it as "encryption enabled, key ID 1", and >treat the frame as encrypted; > >with no preference needed?
I thought about that solution, and it's probably the best. The only thing you lose is the positive confirmation that the information is *not* encrypted, but if the ethernet dissector works on it, that's probably confirmation enough, right? :) I'll get to updating the code today and posting a new patch set. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
