This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I work for a large company which had developed and maintained its own internal and proprietary 802.3 protocol since the late 90s.

This protocol is kinda-sorta-compliant to early ETHERNET standards, so we could still use our desktop wired network adapters to eavesdrop on our traffic, and iron out the bugs as needed. -- well, at least as long as I've worked here, since the mid 90s.

Anyway, what used to work before (with WIRESHARK on MSWindows and up until last October), now DOESNT work. Pre Oct-2014 our network drivers in our laptops worked perfectly with Wireshark, and we could always sniff all 802.3 traffic between our boxes.

NOW, (since some WINDOWS update in mid-Oct-2014), Wireshark is not being passed ALL of our packet data.

The issue is this (I speculate)...

In our proprietary 802.3 std comms, the ETHERTYPE/PACKETSIZE field (word at offset 12) is coincidentally ALWAYS a hardcoded constant value of 0x0080 (128 decimal). And in reality, our network packets are always transmitted with a constant payload size of 1400 bytes,

And, happily, my network adapter never cared. Even though the (non-)Ethernet header always had a hardcoded LENGTH value of 128 at offset=12, the Windows Ethernet driver ALWAYS returned ALL the actual packet data to Wireshark -- all 1400 bytes of payload in addition to the enveloping info, etc. And so we could see all the data and everything, and life was good.

(and coincidentally, since our packets were NEVER smaller than 128 bytes, no packets were ever rejected as RUNTs)

Anyway, something happened to our network driver software (in Windows), which PROHIBITS passing through the packet data beyond 128 bytes worth of data -- or what my network driver probably now thinks is possible malicious code.

Now, when I Wireshark this interface, I get ONLY the first 128 bytes of payload (142 bytes including envelope stuff).

AND SO... (now for the MONEY STATEMENT)...

What can I do about this? Does anyone know if this is a WINDOWS KERNAL ISSUE, or simply a Windows Registry Issue.

Needless to say, I am considered just another mindless drone in a corporate cubicle-farm by my IT department. I do NOT have admin privs on my company issued laptop, and frankly, it has taken me almost 2 months now (off-n-on) to educate myself to this meager level.

So, if I can solicit for some dialog and education here, and also learn the proper vocabulary, I can approach the wizards behind the curtain, and see if they can enable me and my co-workers with whatever I need to get this fixed again. Believe it or not, this does have some pretty serious ramifications to me and my group. I gotta get this worked out.

Thanks for reading, and please reply with any knowledge you might be able to contribute. Even if it might seem too trivial or primary for the other oracles here. I confess I'm a NOOB. But I want to learn.

-David B

asked 30 Dec '14, 14:52

davidjaybrown's gravatar image

davidjaybrown
11112
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×13
×8
×6
×3

question asked: 30 Dec '14, 14:52

question was seen: 1,156 times

last updated: 30 Dec '14, 14:52

p​o​w​e​r​e​d by O​S​Q​A