Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-03-19 21:38:41 +0000

whammy gravatar image

How do I rewrite the Ethernet II protocol type to 0x8100?

Background: I've got a remote capture box that's apparently losing its marble. The traffic being captured is all 802.1Q tagged, but the pcap files have the EII protocol bytes (13/14) rewritten to randomish values. At first I thought it was the span port on the Juniper switch, so I swapped it for a Cisco switch, and the problem followed along dutifully. It's quite odd, the rest of the packet data seems more or less intact, and a smallish percentage (~30%) come through unscathed. A truck roll to replace the capture box isn't in the cards for a couple weeks, and I at least need a whiff of the flows to solve an immediate problem.

Rewriting the protocol type to 0x8100 (13th and 14th bytes) on all the frames in the capture would get me close enough. Has anyone attempted this, and if so, what tool did you use?

How do I rewrite the Ethernet II protocol type to 0x8100?

Background: I've got a remote capture box that's apparently losing its marble. The traffic being captured is all 802.1Q tagged, but the pcap files have the EII protocol bytes (13/14) rewritten to randomish values. At first I thought it was the span port on the Juniper switch, so I swapped it for a Cisco switch, and the problem followed along dutifully. It's quite odd, the rest of the packet data seems more or less intact, and a smallish percentage (~30%) come through unscathed. A truck roll to replace the capture box isn't in the cards for a couple weeks, and I at least need a whiff of the flows to solve an immediate problem.

Rewriting the protocol type to 0x8100 (13th and 14th bytes) on all the frames in the capture would get me close enough. Has anyone attempted this, and if so, what tool did you use?

Edit:

They look like:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0) Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0) [Destination (resolved): Cisco_69:e7:e0] Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0) [Address (resolved): Cisco_69:e7:e0] .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31) [Source (resolved): Cisco_4a:a1:31] Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31) [Address (resolved): Cisco_4a:a1:31] .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: Unknown (0x1f39)

^^^^ the 'Type: Unknown' hex value is apparently random in the bulk of the trace, and I want those two bytes to get changed to 0x8100 in all frames in the trace, as in the following frame:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0) Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0) [Destination (resolved): Cisco_69:e7:e0] Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0) [Address (resolved): Cisco_69:e7:e0] .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31) [Source (resolved): Cisco_4a:a1:31] Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31) [Address (resolved): Cisco_4a:a1:31] .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: 802.1Q Virtual LAN (0x8100)

Apologies for any lack of clarity in the original question, hopefully this makes my request less obtuse.

click to hide/show revision 3
None

updated 2018-03-19 22:39:23 +0000

grahamb gravatar image

How do I rewrite the Ethernet II protocol type to 0x8100?

Background: I've got a remote capture box that's apparently losing its marble. The traffic being captured is all 802.1Q tagged, but the pcap files have the EII protocol bytes (13/14) rewritten to randomish values. At first I thought it was the span port on the Juniper switch, so I swapped it for a Cisco switch, and the problem followed along dutifully. It's quite odd, the rest of the packet data seems more or less intact, and a smallish percentage (~30%) come through unscathed. A truck roll to replace the capture box isn't in the cards for a couple weeks, and I at least need a whiff of the flows to solve an immediate problem.

Rewriting the protocol type to 0x8100 (13th and 14th bytes) on all the frames in the capture would get me close enough. Has anyone attempted this, and if so, what tool did you use?

Edit:

They look like:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
    Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Destination (resolved): Cisco_69:e7:e0]
        Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Address (resolved): Cisco_69:e7:e0]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Source (resolved): Cisco_4a:a1:31]
        Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Address (resolved): Cisco_4a:a1:31]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: Unknown (0x1f39)
(0x1f39)

^^^^ the 'Type: Unknown' hex value is apparently random in the bulk of the trace, and I want those two bytes to get changed to 0x8100 in all frames in the trace, as in the following frame:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
    Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Destination (resolved): Cisco_69:e7:e0]
        Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Address (resolved): Cisco_69:e7:e0]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Source (resolved): Cisco_4a:a1:31]
        Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Address (resolved): Cisco_4a:a1:31]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1Q Virtual LAN (0x8100)
(0x8100)

Apologies for any lack of clarity in the original question, hopefully this makes my request less obtuse.

click to hide/show revision 4
retagged

updated 2018-03-24 20:22:34 +0000

grahamb gravatar image

How do I rewrite the Ethernet II protocol type to 0x8100?

Background: I've got a remote capture box that's apparently losing its marble. The traffic being captured is all 802.1Q tagged, but the pcap files have the EII protocol bytes (13/14) rewritten to randomish values. At first I thought it was the span port on the Juniper switch, so I swapped it for a Cisco switch, and the problem followed along dutifully. It's quite odd, the rest of the packet data seems more or less intact, and a smallish percentage (~30%) come through unscathed. A truck roll to replace the capture box isn't in the cards for a couple weeks, and I at least need a whiff of the flows to solve an immediate problem.

Rewriting the protocol type to 0x8100 (13th and 14th bytes) on all the frames in the capture would get me close enough. Has anyone attempted this, and if so, what tool did you use?

Edit:

They look like:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
    Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Destination (resolved): Cisco_69:e7:e0]
        Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Address (resolved): Cisco_69:e7:e0]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Source (resolved): Cisco_4a:a1:31]
        Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Address (resolved): Cisco_4a:a1:31]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: Unknown (0x1f39)

^^^^ the 'Type: Unknown' hex value is apparently random in the bulk of the trace, and I want those two bytes to get changed to 0x8100 in all frames in the trace, as in the following frame:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
    Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Destination (resolved): Cisco_69:e7:e0]
        Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Address (resolved): Cisco_69:e7:e0]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Source (resolved): Cisco_4a:a1:31]
        Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Address (resolved): Cisco_4a:a1:31]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1Q Virtual LAN (0x8100)

Apologies for any lack of clarity in the original question, hopefully this makes my request less obtuse.