> I found in my vlan traces that I have some packets that look to be using a
> different frame type.
Looks like an encapsulated 802.2 frame inside the VLAN frame:
> 0000 01 00 0c cc cc cd 00 50 3e b4 e4 66 81 00 00 06 .......P >..f....
< ethernet dst > < ethernet src > etype <tci>
> 0010 00 32 aa aa 03 00 00 0c 01 0b 00 00 00 00 00 20 .2...... ........
<len> DS SS C < OUI >
> 0020 00 00 d0 63 8d e8 05 00 00 00 04 80 00 00 10 2f ...c.... ......./
> 0030 17 4e 05 82 17 01 00 14 00 02 00 0f 00 00 00 00 .N...... ........
> 0040 00 02 00 06
where "DS" is the DSAP, SS is the SSAP, and C is the control field, in
an 802.2 LLC header.
DSAP and SSAP of 0xAA means SNAP encapsulation, if, following the 3
header bytes is a 3-byte Organizational Unit Identifier of 0x00 0x00
0x00. However, I'm not sure which standard - probably some IEEE 802.x
standard, and probably available only if you hand them your credit card
- specifies what happens if the OUI *isn't* 0x00 0x00 0x00.
I figured there'd be an on-line listing of OUIs *somewhere*, and, sure
enough:
http://standards.ieee.org/regauth/oui/oui.txt
which says that 00 00 0C belongs to:
CISCO SYSTEMS, INC.
170 WEST TASMAN DRIVE
SAN JOSE CA 95134-1706
(00 00 00 belongs to Xerox; presumably they generously loaned it to the
Internet community for use with SNAP.)
I.e., the "#if 0"ed code is doing what appears to be called for here
(although you might want to pick up the
/* Convert the LLC length from the 802.3 header to a total
length, by adding in the Ethernet header size, and set
the payload and captured-payload lengths to the minima
of the total length and the frame lengths. */
stuff from "dissect_eth()" as well, for the LLC case).
However, "dissect_llc()" (and "capture_llc()") should probably check for
an OUI of 0x00 0x00 0x00 before treating the frame as a SNAP frame with
a 2-byte Ethernet type following the OUI.
