On Fri, 12 May 2017 17:36:22 -0400, TDH1978
<
thedeerhunter1978@movie.uni> wrote:
I'm hoping someone can point me in the right direction. I have a PCAP
file where the packets do not have an Ethernet header; instead they
have a PPP (Point-to-Point Protocol) header.
I have a few questions.
1. The PPP header I'm seeing in wireshark has the following structure:
Address 0xFF (1 byte)
Control 0x03 (1 byte)
Protocol 0x0021 (2 bytes)
<...followed by IPv4...>
What happened to the 1-byte Flag field (usually set at 0x7E) which
indicates the beginning of the PPP frame?
2. Given that the flag field is missing, how was wireshark still able
to guess the proper format of the packet? The packet format is:
PPP
IPv4
UDP/Teredo
IPv6
ICMPv6
Only if PPP is running an HDLC-like encapsulation, are the 0x7e flags
needed. If the underlying link provides the frame boundaries, PPP can
use those.
3. Even if the flag field were present, how does wireshark usually
identify the type of Layer 2 header? Does it guess?
It depends on the layer 2. On Ethernet, for example, if it's either
the Ethenernet frame type or a SNAP (802.2) header. On a serial link,
there's going to have to be some guessing/configuration required. Some heuristics are possible, of course: if you're looking at a serial link
and you see something that looks like PPP containing something that
looks like an IP datagram, that may be a good guess.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)