Ethereal-dev: [Ethereal-dev] v0.9.9 through v0.10.7 can't recognize Cisco ISL frames

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Tue, 02 Nov 2004 02:00:12 -0500
Hello,

It looks like a change made to packet-eth.c between v0.9.8 and 
v0.9.9 disabled Ethereal from recognizing Cisco ISL packets.  
The change made between v0.9.8 and v0.9.9 near the top of 
capture_eth() included an additional test for 
   "&& etype != ETHERTYPE_UNK". 

It looks like the call to capture_isl() within capture_eth() won't 
happen because of this change.   In my ISL traces (see example
frame below) the etype (offsets 12 (0x0c) and 13 (0x0d)) equal 
0x0000 which is ETHERTYPE_UNK.

Here's the link to Guy's message from the "[ethereal-dev] Plugin 
for Cisco ISL" thread that resulted in the initial ISL support:

  http://www.ethereal.com/lists/ethereal-dev/200001/msg00182.html

Here's a currently working link to the Cisco ISL Frame Format:

  
http://www.cisco.com/en/US/tech/tk389/tk390/technologies_tech_note09186a0080094665.shtml

NOTE:  In the current version of the ISL Frame Format document 
listed above, Cisco states that an ISL frame can also start with the 
40 bit (5 octet) sequence 0C-00-0C-00-00 in addition to the previously

documented sequence 01-00-0C-00-00. 

I'm quite too naive with this project to know how best to fix this.  
Would moving the "Oh, Yuck" section out of the initial "if" and
into an additional "else if" test be the way to go? 

e.g.
packet-eth.c

[snip]
  else if (etype <= IEEE_802_3_MAX_LEN && etype == ETHERTYPE_UNK) {
    length = etype;

    /* Oh, yuck.  Cisco ISL frames require special interpretation of
the
       destination address field; fortunately, they can be recognized
by
       checking the first 5 octets of the destination address, which
are
       01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
    if ((pd[offset] == 0x01 || pd[offset] == 0x0C) 
        && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
        && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
      capture_isl(pd, offset, len, ld);
      return;
  } else {
    ethhdr_type = ETHERNET_II;
  }
  offset += ETH_HEADER_SIZE;
[snip]

Here's an example of an ISL frame that ethereal v0.9.8 recogonized
but which later versions do not...

> 0000  01 00 0c 00 00 07 00 02 fd 2c b8 97 00 00 aa aa  
.........,......
> 0010  03 00 00 00 00 03 00 00 00 00 01 80 c2 00 00 00  
................
> 0020  00 02 fd 2c b8 98 00 26 42 42 03 00 00 00 00 01  
...,...&BB......
> 0030  80 00 00 02 fd 2c b8 80 00 00 00 00 80 00 00 02  
.....,..........
> 0040  fd 2c b8 80 80 26 00 00 14 00 02 00 0f 00 00 00  
.,...&..........
> 0050  00 00 00 00 00 00 32 72 82 28                     ......2r.(
>
> Frame 1 (90 bytes on wire, 90 bytes captured)
>     Arrival Time: Nov  1, 2004 07:27:58.216976000
>     Time delta from previous packet: 0.000000000 seconds
>     Time relative to first packet: 0.000000000 seconds
>     Frame Number: 1
>     Packet Length: 90 bytes
>     Capture Length: 90 bytes
> ISL
>     Destination: 01:00:0c:00:00:07 (01:00:0c:00:00:07)
>     0000 .... = Type: Ethernet (0)
>     .... 0111 = User: Unknown (7)
>     Source: 00:02:fd:2c:b8:97 (Cisco_2c:b8:97)
>     Length: 0
>     DSAP: 0xAA
>     SSAP: 0xAA
>     Control: 0x3
>     HSA: 0x000000
>     0000 0000 0000 001. = VLAN ID: 0x0001
>     .... .... .... ...1 = BPDU: Yes
>     Index: 0
>     CRC: 0xb8970000

FWIW: Offset 0x1a represents the start of an encapsulated 802.3 
frame to Multicast address 0180.c200.0000 from 0002.fd2c.b898.
This encapsulated frame is a Cisco BPDU (Spanning Tree) packet
(for VLAN 1).

I hope you fund the above information useful.

Best regards,

Jim Young