Wireshark · Ethereal-users: RE: [Ethereal-users] Weird Cisco packet?

["McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>]

One more time (I guess that table isn't very useful without the headers):

============================================================================
====
                                        Topology Table
============================================================================
====
PORT  IP_ADDR          SEG MAC_ADDR          CHASSIS BKPL         LOCAL
CURSTATE
SLOT                   ID                    TYPE    TYPE         SEG
----------------------------------------------------------------------------
----
0 /0  128.206.95.254   0   00:04:dc:a0:98:00 75      enetFastGigEnet true
heart
beat
1 /2  128.206.95.252   281 00:80:2d:97:61:fe 48      enetFastGigEnet true
heart
beat

My apologies if the table gets mangled on its way through the Internet...

--J

> -----Original Message-----
> From: McNutt, Justin M. [mailto:McNuttJ@xxxxxxxxxxxx]
> Sent: Friday, October 05, 2001 6:40 PM
> To: 'ethereal-users@xxxxxxxxxxxx'
> Subject: RE: [Ethereal-users] Weird Cisco packet?
> 
> 
> One other note.  "show sys topology" on the Passport showed 
> these things for
> itself and 128.206.95.252:
> 
> 0 /0  128.206.95.254   0   00:04:dc:a0:98:00 75      
> enetFastGigEnet true
> heartbeat
> 1 /2  128.206.95.252   281 00:80:2d:97:61:fe 48      
> enetFastGigEnet true
> heartbeat
> 
> If anybody has any Nortel equipment, look for the file 
> s5emt104.mib in the
> BayStack 450 MIBs on Nortel's site (you shouldn't have to 
> have a password to
> get the MIBs).  I will try to see if the stuff in these MIBs 
> correlates with
> anything in this table or in the packets I captured.
> 
> --J
> 
> > -----Original Message-----
> > From: McNutt, Justin M. [mailto:McNuttJ@xxxxxxxxxxxx]
> > Sent: Friday, October 05, 2001 6:35 PM
> > To: 'ethereal-users@xxxxxxxxxxxx'
> > Subject: RE: [Ethereal-users] Weird Cisco packet?
> > 
> > 
> > It has something to do with Aironet wireless devices.  I see 
> > similar packets
> > on my network, and we have several of these wireless access 
> > points in our
> > LAN.
> > 
> > I can't seem to find any aironet MIBs anywhere, though, or we 
> > might be able
> > to figure it out.
> > 
> > Here are some similar things that Ethereal doesn't understand 
> > (attached).
> > 
> > In autotopology.bay.cap, you'll see two different L2 
> multicasts to the
> > groups 01:00:81:00:01:00 (this segment) and 01:00:81:00:01:01 
> > (all segments
> > in the bridged LAN).  IIRC, devices that understand Bay 
> > autotopology frames
> > *will* forward the :01 frames as a L2 multicast, but will 
> > *not* forward the
> > :00 frames.
> > 
> > I don't know how to decode the whole data portion, but there 
> > are some things
> > that are recognizable to me deeper in the frames.  For 
> > example, the first
> > four bytes of the data payload in both type of autotopology 
> > frames are the
> > IP address of the switch sending the frame.  In the case 
> > shown, the IP is
> > 128.206.95.252, which is the switch I connect to.
> > 
> > In the :01 frames:
> > 
> > If the byte at offset 0x031 is 0x41, then at offset 0x024 we 
> > see the MAC
> > address of the next switch upstream +0x01.  The next switch 
> > upstream is a
> > Nortel Passport.  Passports have different MAC's for damn 
> > near everything.
> > The base MAC address of the Passport in question is 
> > 00:04:DC:A0:98:00.  Add
> > one and you get the MAC seen in the frames in this capture. 
>  This MAC
> > address is what the Passport uses as it's bridge address for 
> > Spanning Tree
> > in Spanning Tree Group 1 (Passports don't do per-VLAN STP; 
> > they use STG's).
> > 
> > If the byte at offset 0x031 is not 0x41, then at offset 0x024 
> > we see the MAC
> > address of the switch sending the frame +0x1e, which is also 
> > the source MAC
> > on the frame.  The way a BayStack 450 works, the MAC address 
> > of the base
> > unit in a stack is used for a bunch of other things as well.  
> > You add 0x1e
> > to get the MAC used for autotopology.  Add 0x1f and you get 
> > the MAC address
> > used by the IP stack.  Even weirder is that if the switch is 
> > a stand-alone
> > (not stacked with other BayStacks), all three MAC addresses 
> > are simply that
> > of the unit itself (00:80:2D:97:61:E0 in this case).
> > 
> > In the :00 frames:
> > 
> > If the byte at offset 0x031 is 0x41, we see the MAC of the 
> > Passport again at
> > 0x024.
> > 
> > If the byte at offset 0x031 is not 0x41, then at 0x024 we see 
> > something
> > *similar* to eth.dst of the frame, but with the bytes in 
> > reverse order, and
> > with the 81 byte as 18 instead.  Could be coincidence since I 
> > don't *really*
> > know what any of these fields are.
> > 
> > I really oughta go into our test lab and compare these to 
> > what I get from
> > other Nortel switches and what I get if I change STP settings, etc.
> > 
> > Does anybody have any other info about these frames?
> > 
> > --J
> > 
> > > -----Original Message-----
> > > From: Joe Tomasone [mailto:joe@xxxxxxxx]
> > > Sent: Friday, October 05, 2001 2:59 PM
> > > To: ethereal-users@xxxxxxxxxxxx
> > > Subject: [Ethereal-users] Weird Cisco packet?
> > > 
> > > 
> > > Anyone know what this packet is?
> > > 
> > > Looks like some funky Cisco thing, since the source MAC is 
> > > embedded in the 
> > > data portion.
> > > Whatever it is, Ethereal didn't know what to do with it.
> > > 
> > > 
> > > 	- Joe
> > > 
> > > 
> > 
> > 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>