This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Link Layer Protocol ?

0

If I look at a packet, how can I tell what the link-layer protocol is? Where is it shown in wireshark??

Many thanks.. Sorry if this is an obvious question.

asked 14 Dec '12, 11:41

smc20's gravatar image

smc20
6335
accept rate: 0%

One Answer:

1

I would say it is the first layer of the packet you should look at ;-)

Regards
Kurt

answered 14 Dec '12, 12:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks. In this case; it says:

Frame 2831: 128 bytes on wire (1024 bits), 128 bytes captured (1024 bits)

So i'm guessing that's the Link-Layer. Thanks Kurt :)

(14 Dec '12, 12:57) smc20

erm, no. :-) The link layer protocol is: ethernet, ppp, hdlc, etc. In Wireshark it is the first layer shown after the 'Frame layer'. The link layer protocol is the protocol that is spoken on the physical medium (cable, air).

(14 Dec '12, 13:01) Kurt Knochner ♦

Ahh okay :-) Thanks. I bet I seem stupid. Better to ask though, right?

(14 Dec '12, 13:04) smc20

No problem. I recommend this book:

http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313/ref=sr_1_2?s=books&ie=UTF8&qid=1355519196&sr=1-2&keywords=tcp+ip+illustrated

HINT: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(14 Dec '12, 13:06) Kurt Knochner ♦

Note also that some link layers don't show up as what they really are - PPP might show up as Ethernet on Windows or as "Linux cooked-mode capture" on Linux, and 802.11 might show up as Ethernet, for example.

Some link layers might also provide "metadata" that shows up as a layer after "Frame" but before the link layer, such as the various forms of radio information metadata for 802.11.

(14 Dec '12, 20:28) Guy Harris ♦♦