Ethereal-dev: Re: [ethereal-dev] Antwort: Re: [ethereal-users] Reading AIX-iptrace on at0
On Thu, Nov 18, 1999 at 12:25:06AM -0600, Guy Harris wrote:
>
> control frame, and that's what it dissected it as. VC 0.563 could be
> LANE data, but it's being dissected in a non-obvious fashion - the first
> 0.563 frame is
>
> 00 02 01 80 c2 00 00 00 08 00 8f 41 22 02 00 26 42 42 03 00
> 00 00 00 00 80 00 08 00 8f 19 42 a9 00 00 00 0a 80 00 08 00
> 8f 26 31 39 81 21 01 00 14 00 02 00 0f 00 00 00 00 00 0d 0f
> 08 00 8f 4f 00 00
>
> which would, as Ethernet LANE data, be:
>
> 00 02 LE header
> 01 80 c2 00 00 00 Destination Ethernet address
> 08 00 8f 41 22 02 Source Ethernet address
> 00 26 Type/length (a length)
>
> with
>
> 42 42 03 00
> 00 00 00 00 80 00 08 00 8f 19 42 a9 00 00 00 0a 80 00 08 00
> 8f 26 31 39 81 21 01 00 14 00 02 00 0f 00 00 00 00 00 0d 0f
> 08 00 8f 4f 00 00
>
> as the payload - and that looks like a UI frame with source and
> destination SAPs of 0x42, i.e. Spanning Tree BPDU - but, for some
> unknown reason, it's dissecting it as IP, with the payload being treated
> as purely IP data! Perhaps "ipreport" is just buggy....
The "00 00 00" from eth.dst and "08 00" from eth.src look suspiciously
like LLC ethernet indicators.
> However, that still doesn't indicate how it knew that VC 0.561 and 0.563
> were LANE, and VC 0.567 was Classical IP. There doesn't seem to be
> anything in the header that would indicate the type of traffic; perhaps
> it doesn't know what type of traffic it is, perhaps it just looks at the
> first few bytes of the packet and tries to *guess* what it is....
yes, I agree that there's nothing else in the packet header from which
it could get this info.
--gilbert
