I have been using Tshark on an Ubuntu server for some time now. I just noticed the other day that if I do a capture using -i any, I have a pile of IPX traffic that is seen. I have looked at the source and dest addresses and they do not seem to be listed in my database of machines on my network. However under the Linux Cooked Capture, there are mac address there that correspond with machines on my network. Machines rang from Novell OES servers, Windows servers and workstations, Linux, and MAC OS X for operating systems. Now what I find funny, is if I run a capture using eth0, eth1, eth2, or lo I do not see any IPX traffic at all. Any thoughts or ideas where this is coming from, and how I can trace it back to a system and disable IPX on that system? Any help is appreciated.
asked 10 May '12, 08:57
There may be something going wrong with the Linux cooked header or Wireshark's parsing of it or something related. It's probably better to file a bug report and attach a small capture file that depicts the IPX traffic so someone could take a look at it and determine if there's a problem or not, and if so, apply a fix for it.
answered 10 May '12, 18:05