Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-09-20 05:29:14 +0000

SYN-bit gravatar image

I removed the first 22 bytes of each packet (with editcap -C 22 <inputfile> <outputfile>) and then the resulting trace shows normal IP traffic (if you do the same, do you recognize the IP-addresses in the resulting trace as being normal IP adresses in your network?). So I assume, there is some (proprietary) tunneling going on with these packets, as it seems to be layered like this:

  • Ethernet Header (2c:21:72:ab:17:cc to cc:e1:7f:d6:59:63, ethertype 802.1Q)
  • Vlan header (vlan 24, ethertype 802.1Q)
  • Vlan header (vlan 24, ethertype IP)
  • Ethernet Header (xx to yy, ethertype IP)
  • IP header
  • <rest of="" normal="" ip="" packet="">

Do you recognize vlan 24 as being configured in your network on this segment? Do you recognize the juniper mac-addresses? Could you log into these Juniper devices and look at the configuration of the involved interfaces to see whether there is some Layer-2 tunneling configuration active?