This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey,

I did a capture of a piece of software on my laptop loading firmware to a device. The packets look like this in list view:

687 53.047211 Dell_cb:f1:96 MegaSyst_01:b5:cf 0x4d45 Ethernet II

The source (Dell..) is my laptop and the dest (Mega...) is the device. The protocol is showing up as 0x4d45 (Unknown) and the type is showing up as Ethernet II.

I spoke to a friend who said that sometimes their gear shows up incorrectly in Wireshark as well.

So, my question(s) are:

  1. How can I confirm what the packet protocol and type should be? The mfr of the device is of no help on this.
  2. Can I convert these to a known type (once I find out what the type should be) through Wireshark and if so, how?

Thanks!

asked 28 Dec '10, 10:41

emana's gravatar image

emana
1111
accept rate: 0%

edited 01 Jan '11, 13:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

If the ethertype is 0x4d45, it is what it is. Are you trying to prove that it should not be this ethertype? Or do you just want to change it, temporarily, so you can treat it as IP?

(28 Dec '10, 18:34) hansangb

I want to confirm somehow that this is correctly reporting by Wireshark and then figure out how a file is being sent from a piece of software using this protocol. I have to write something in VB to send the same file using the same method used by the packet trace...

(28 Dec '10, 19:12) emana

I got the mfr of the product telling me it should be port 80 TCP...it would appear that Wireshark is somehow misrepresenting the packets...any idea how to correct?

(28 Dec '10, 21:07) emana

We would like to see such eth file on bugs.wireshark.org. Could be a file format reading issue.

(28 Dec '10, 23:44) Jaap ♦

Emana, remember that Ethertype has nothing to do with whether port 80 is being used or not. Obviously, if TCP/IP is being used, ethertyp of 0800 (for IPv4) is what it should be set to. You can use bittwiste to change the ethertype, so you may want to give that a shot. If everything shows up correctly after you modify the ethertype to 0800, then it might be a bug (wireshark or the device).

(29 Dec '10, 08:47) hansangb

Are you able to share a bit more of the file? One (or a few) packets with all bytes?

You could do this by posting the output of "tshark -r <file> -c 5 -x".

(31 Dec '10, 01:32) SYN-bit ♦♦
showing 5 of 6 show 1 more comments

If the traffic is really carried as TCP port 80 , but using 0x4d45 instead 0x0800 for ethertype on IP then it sounds like an attempt at security by obscurity. But the vendor should have told you that!

permanent link

answered 01 Jan '11, 18:59

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×29
×14

question asked: 28 Dec '10, 10:41

question was seen: 6,245 times

last updated: 01 Jan '11, 18:59

p​o​w​e​r​e​d by O​S​Q​A