Re: [Ethereal-users] Ethereal on W2K POS/ATM Captures (alternatively on Linux)

[Guy Harris <guy@xxxxxxxxxx>]

On Mon, Nov 04, 2002 at 05:30:13AM -0500, mrmartin1903@xxxxxxxxxxxx wrote:
> For this test I am only using Ethereal to load capture files from a
> third party analyser.  When I start Ethereal it allways comes up showing
> the columns No.; Time; Source Addr.; Dest Addr.; etc..

Yes, that's the default behavior.  The "source address" and "destination
address" could be MAC addresses, IPv4 addresse, IPv6 addresses, etc., so
it would not make sense to delete them, by default, for captures from
networks that don't have MAC addresses.

> I have found the option to delete and add columns but that didn't
> change the way that Ethereal decoded my packets.

It's not supposed to - it's only supposed to change the way it displays
the list of packets.

> Where would I configure Ethereal for example to look for a PPP-header
> etc.  instead of the MAC SA/DA at the beginning of the packet as it does
> in default.

That is not a configuration option for Ethereal.  Ethereal determines
the type of link layer in a capture file from information in the capture
file.

The capture file "tcp_cap.eth" is in tcpdump format,  The packets have
what appear to be PPP headers, but the capture file has, as its
link-layer type in the header in the file, Ethernet.

If that file was written by the third-party analyzer, the third-party
analyzer is buggy.  What program wrote it?

If you want to fix the header in the file, the command

	editcap -T ppp tcp_cap.eth tcp_cap.ppp

(editcap comes with Ethereal; its binary will be installed in the same
directory as the Ethereal binary) will read the file's packets and write
them out, unchanged, to a file with a file header that says the
link-layer type is PPP.  (Having done so, however, it appears that the
TCP headers in the capture are bogus.)

> I do not have a POS or ATM interface in my PC, so could that be the problem?

No.  The problem is probably that your third-party analyzer is buggy.