Open
Description
When capturing on a tunnel interface (at least on a MAC), the L2 header information is set to Null (more details below)...
https://wiki.wireshark.org/NullLoopback
See example below...
"null": {
"null.family": "2"
}
% tshark -T json -i utun0
Capturing on 'USB 10/100/1000 LAN: en7'
[
{
"_index": "packets-2021-05-12",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "en7",
"frame.interface_description": "USB 10/100/1000 LAN"
},
"frame.encap_type": "1",
"frame.time": "May 12, 2021 11:54:07.695295000 MST",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1620845647.695295000",
"frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000",
"frame.time_relative": "0.000000000",
"frame.number": "1",
"frame.len": "1514",
"frame.cap_len": "1514",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "null:ip:tcp:data"
},
"null": {
"null.family": "2"
},
"ip": {
"ip.version": "4",
"ip.hdr_len": "20",
"ip.dsfield": "0x00000002",
"ip.dsfield_tree": {
"ip.dsfield.dscp": "0",
"ip.dsfield.ecn": "2"
},
"ip.len": "1500",
"ip.id": "0x00006391",
"ip.flags": "0x00000040",
"ip.flags_tree": {
"ip.flags.rb": "0",
"ip.flags.df": "1",
"ip.flags.mf": "0"
},
...Metadata
Metadata
Assignees
Labels
No labels