Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-06-16 21:03:28 +0000

Guy Harris gravatar image

Usually I believe that you would put something replacing the 0x1234 with the ethernet type, but the IEEE-802.3 has src, dst, and length fields.

Originally, the IEEE standard for Ethernet different from the DEC/Intel/Xerox (D/I/X) standard by using the 2-byte field after the source address as a packet length rather than as a next-protocol type. By requiring Ethernet type values to be larger than 0x600, it was possible to determine whether a packet on an Ethernet is in D/I/X format or IEEE format. Eventually, the IEEE standard change to support both formats.

If your protocol is using "length-field" Ethernet packets, then the 14-byte destination/source/length header should be followed by an IEEE 802.2 header, which includes a one-byte Destination Service Access Point (DSAP) field, a one-byte Source Service Access Point (SSAP) field, and a one-byte or two-byte Control field. The DSAP and SSAP field are used to indicate what protocol is contained in the Ethernet frame.

If the DSAP and SSAP fields both have the value 0xAA, then the 802.2 header is followed by a Subnetwork Access Protocol (SNAP) header, which contains a 3-byte organizationally unique identifier (OUI) field and a 2-byte protocol ID field. If the OUI field has a value of 0x000000, the protocol ID field contains an Ethertype value; otherwise, it contains a value whose meaning is specified by the organization whose OUI appears in the OUI field.

802.2 and SNAP are used for link layers other than Ethernet, such as 802.5 Token Ring, FDDI, and 802.11 Wi-Fi; for those protocols, which don't (except for some Wi-Fi PHY layers) have an Ethernet type field, an OUI of 0x000000 is used for protocols such as IPv4 and IPv6. For Ethernet, this isn't necessary, so an OUI of 0x000000 is rarely used with SNAP headers.

So:

  • if your protocol uses an 802.2 header without SNAP, it presumably uses a particular DSAP value, and you can register your dissector in the "llc.dsap" dissector table, using that DSAP;
  • if your protocol uses an 802.2 header with SNAP, and the OUI is one of the OUIs for which Wireshark has support, that OUI would have a dissector table, and you can register your dissector in that dissector table, using the protocol ID value;
  • if your protocol uses an 802.2 header with SNAP, and the OUI is not one of the OUIs for which Wireshark has support, support for it would have to be added and, unfortunately, that's not currently supported in Lua.

The OUIs supported by the main branch of Wireshark are:

  • AppleTalk (0x080007), with a dissector table named "llc.apple_atalk_pid";
  • Apple AWDL (0x0017F2), with a dissector table named "llc.apple_awdl_pid";
  • Bluetooth (0x001958), with a dissector table named "llc.bluetooth_pid";
  • Cimetrics, Inc. (0x001090), with a dissector table named "llc.cimetrics_pid";
  • Cisco (0x00000C), with a dissector table named "llc.cisco_pid";
  • Extreme Networks EDP/ESRP (0x00E02B), with a dissector table named "llc.extreme_pid";
  • Force10 Networks (0x0001E8), with a dissector table named "llc.force10_pid";
  • Foundry Networks (0x00E052), with a dissector table named "llc.foundry_pid";
  • HP (0x00805F), with a dissector table named "llc.hpteam_pid";
  • the IANA (0x00005E), with a dissector table named "llc.iana_pid";
  • Locamation (0x0040d6), with a dissector table named "locamation-im.llc.pid";
  • the Wi-Fi Alliance (0x506F9A), with a dissector table named "llc.wfa_pid";
  • Nortel (0x000081), with a dissector table named "llc.nortel_pid"
  • Cisco Wireless (Aironet) (0x004096), with a dissector table named "llc.wlccp_pid".