I suspect that if you check the first bad packet the LLC Control field func
value will be SABME. If this is true the packet are caused by the two
network stations creating a connection at the LLC level (Data Link
Switching). The packets are seen as NETBIOS by the LLC dissector because
the DSAP is 0xf0. The dissect_netbios code could be improved to check the
LLC control field value and ignore packets that should not be passed to it.
I think better way would be have the LLC dissector code handle the Data Link
Switching functions instead.
If you want more information refer to RFC 1795 - Data Link Switching:
Switch-to-Switch Protocol.
Any comments Guy.
Jeff Foster
jfoste@xxxxxxxxxxxx
> -----Original Message-----
> From: Guy Harris [SMTP:guy@xxxxxxxxxx]
> Sent: Friday, August 20, 1999 4:53 PM
> To: guy@xxxxxxxxx
> Cc: ethereal-users@xxxxxxxx; jfoste@xxxxxxxxxxxx
> Subject: Re: [ethereal-users] Bad NETBIOS Packets
>
> (OK, one more try....)
>
> > I see a lot of messages in 0.7.2 about bad NETBIOS packets on my small
> > 5-station network. They always come in bunches of a half dozen or so.
> Is
> > this a known behavior?
>
> I'm not an expert on NetBIOS-on-802.2, so I'll defer to Jeff Foster, the
> guy who wrote the code to handle NetBIOS-on-802.2, for this one - I'm
> CCing him in case he doesn't get "ethereal-users".
