Re: [Ethereal-users] pcap: network type 15 unknown or unsupported

[Guy Harris <gharris@xxxxxxxxx>]

diaz_d1@xxxxxx wrote:
> Can yop open this file?

I can extract the capture file from the ZIP file.

Unfortunately, the capture file is probably in Nokia's stupid format, in 
which they modified the per-packet header to add an extra 4-byte field 
but DIDN'T CHANGE THE MAGIC NUMBER, so an application such as Ethereal 
can tell the difference between normal libpcap files and Nokia libpcap 
files by trying to see whether it can successfully read part or all of 
the file assuming it's a regular file and, if not, trying to see whether 
it can do so assuming it's a Nokia file.  (Unfortunately, some other 
capture file formats *also* use the standard magic number, so the 
heuristics are a bit more complicated than that.)

The current heuristics for detecting Nokia files in Ethereal only check 
if the link-layer type value is 13, which they use for ATM; I tried 
adding a check for 15, but apparently the heuristics succeed for the 
first two packets, which is all Ethereal currently tries - perhaps it 
should try 3 packets, which it appears should be enough to tell the 
difference between the two file types.