Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8256] New: Ethernet Frame with all zeros is decoded as Fibre Channel

Wireshark-bugs: [Wireshark-bugs] [Bug 8256] New: Ethernet Frame with all zeros is decoded as Fib

Date: Wed, 23 Jan 2013 15:36:11 +0000

Bug ID	8256
Summary	Ethernet Frame with all zeros is decoded as Fibre Channel
Classification	Unclassified
Product	Wireshark
Version	1.8.4
Hardware	x86
OS	Windows 7
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Wireshark
Assignee	bugzilla-admin@wireshark.org
Reporter	dakester@cisco.com

Created attachment 9860 [details]
Sample .cap of 60 bytes all zeros.  Notice Frames 6, 12, and 23 in the attached
file LOOP2.cap.

Build Information:
Version 1.8.4 (SVN Rev 46250 from /trunk-1.8)

Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.2, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with PortAudio
V19-devel (built Nov 28 2012), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219
--

We are seeing Ethernet sniffer traces containing 60 bytes of all zeros (zeros
for everything) being decoded as Fibre Channel.  Although the info field says
"Unknown frame[Malformed Packet]"



11:03:48.267027    00.00.00    00.00.00    FC    60    Unknown frame[Malformed
Packet]


The Unknown frame [Malformed Packet] contains
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00
(00:00:00:00:00:00)
Type: Unknown (0x0000)
MDS Header(Unknown(0)/Unknown(11))
MDS Header
...0 0000 0000 0000 = Packet Len: 0
.... 0000 0000 00.. = Dst Index: 0x0000
.... ..00 0000 0000 = Src Index: 0x0000
.... 0000 0000 0000 = VSAN: 0

Users are interpreting this packet as coming from a Cisco MDS 9000 Fibre
Channel switch because Wireshark displays MDS.

It appears Wireshark is using a Fibre Channel display format/table for this
kind of unknown frames.

The Malformed packets are all zeros, including mac address and payload and
ethertype.

If the ethertype were 0xFCFC, then it would be fibre channel, not Ethernet, but

a fibre channel frame does not have an ethertype field because fibre-channel is
not Ethernet.

Ethernet and Fibre Channel are two separate layer 2 protoocls.

There is no hardware on the market that can switch from sending Ethernet to
sending fibre-channel on the fly.

This appears to be a Wireshark display bug.

Load the trace in a different tool and you may get a different interpretation.

Finisar Xgig TraceView decodes this frame of zeros as DLC.

We have seen this 60 byte frame with all zeros on a windows 7 machine while it
was waking up.

It is difficult to trace because LAN switches don’t learn mac addresses with
all zeros.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 8256] Ethernet Frame with all zeros is decoded as Fibre Channel
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8255] New: Buildbot crash output: fuzz-2013-01-23-25318.pcap
Next by Date: [Wireshark-bugs] [Bug 8240] Dissector for the OpenVPN Protocol
Previous by thread: [Wireshark-bugs] [Bug 8255] Buildbot crash output: fuzz-2013-01-23-25318.pcap
Next by thread: [Wireshark-bugs] [Bug 8256] Ethernet Frame with all zeros is decoded as Fibre Channel
Index(es):
- Date
- Thread