Ethereal-dev: Re: [Ethereal-dev] v0.9.9 through v0.10.7 can't recognize Cisco ISL frames
Hi Jim,
Do you have an example (binary) trace with ISL-tagged frames that you'd
be willing to submit? I'd like to put one in the example files Wiki.
Presumably it'd be something that you don't mind potentially sharing
with the entire world.
Naturally, the more diverse the examples in the trace, the better...
Thanks,
Ian Schorr
On Nov 2, 2004, at 2:00 AM, Jim Young wrote:
Hello,
It looks like a change made to packet-eth.c between v0.9.8 and
v0.9.9 disabled Ethereal from recognizing Cisco ISL packets.
The change made between v0.9.8 and v0.9.9 near the top of
capture_eth() included an additional test for
"&& etype != ETHERTYPE_UNK".
It looks like the call to capture_isl() within capture_eth() won't
happen because of this change. In my ISL traces (see example
frame below) the etype (offsets 12 (0x0c) and 13 (0x0d)) equal
0x0000 which is ETHERTYPE_UNK.
Here's the link to Guy's message from the "[ethereal-dev] Plugin
for Cisco ISL" thread that resulted in the initial ISL support:
http://www.ethereal.com/lists/ethereal-dev/200001/msg00182.html
Here's a currently working link to the Cisco ISL Frame Format:
http://www.cisco.com/en/US/tech/tk389/tk390/
technologies_tech_note09186a0080094665.shtml
NOTE: In the current version of the ISL Frame Format document
listed above, Cisco states that an ISL frame can also start with the
40 bit (5 octet) sequence 0C-00-0C-00-00 in addition to the previously
documented sequence 01-00-0C-00-00.
I'm quite too naive with this project to know how best to fix this.
Would moving the "Oh, Yuck" section out of the initial "if" and
into an additional "else if" test be the way to go?
e.g.
packet-eth.c
[snip]
else if (etype <= IEEE_802_3_MAX_LEN && etype == ETHERTYPE_UNK) {
length = etype;
/* Oh, yuck. Cisco ISL frames require special interpretation of
the
destination address field; fortunately, they can be recognized
by
checking the first 5 octets of the destination address, which
are
01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
if ((pd[offset] == 0x01 || pd[offset] == 0x0C)
&& pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
&& pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
capture_isl(pd, offset, len, ld);
return;
} else {
ethhdr_type = ETHERNET_II;
}
offset += ETH_HEADER_SIZE;
[snip]
Here's an example of an ISL frame that ethereal v0.9.8 recogonized
but which later versions do not...
0000 01 00 0c 00 00 07 00 02 fd 2c b8 97 00 00 aa aa
.........,......
0010 03 00 00 00 00 03 00 00 00 00 01 80 c2 00 00 00
................
0020 00 02 fd 2c b8 98 00 26 42 42 03 00 00 00 00 01
...,...&BB......
0030 80 00 00 02 fd 2c b8 80 00 00 00 00 80 00 00 02
.....,..........
0040 fd 2c b8 80 80 26 00 00 14 00 02 00 0f 00 00 00
.,...&..........
0050 00 00 00 00 00 00 32 72 82 28 ......2r.(
Frame 1 (90 bytes on wire, 90 bytes captured)
Arrival Time: Nov 1, 2004 07:27:58.216976000
Time delta from previous packet: 0.000000000 seconds
Time relative to first packet: 0.000000000 seconds
Frame Number: 1
Packet Length: 90 bytes
Capture Length: 90 bytes
ISL
Destination: 01:00:0c:00:00:07 (01:00:0c:00:00:07)
0000 .... = Type: Ethernet (0)
.... 0111 = User: Unknown (7)
Source: 00:02:fd:2c:b8:97 (Cisco_2c:b8:97)
Length: 0
DSAP: 0xAA
SSAP: 0xAA
Control: 0x3
HSA: 0x000000
0000 0000 0000 001. = VLAN ID: 0x0001
.... .... .... ...1 = BPDU: Yes
Index: 0
CRC: 0xb8970000
FWIW: Offset 0x1a represents the start of an encapsulated 802.3
frame to Multicast address 0180.c200.0000 from 0002.fd2c.b898.
This encapsulated frame is a Cisco BPDU (Spanning Tree) packet
(for VLAN 1).
I hope you fund the above information useful.
Best regards,
Jim Young
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
