What are CSM_ENCAPS ethernet broadcast packets?

asked 2020-09-02 14:47:00 +0000

n8lbv gravatar image

updated 2020-09-02 17:13:44 +0000

grahamb gravatar image

I have a failed router that is spitting out a constant stream of 60 byte packets on the LAN and WAN ports.
=All of it's ethernet ports=
They are coming from a source address completely different than what the device's known and printed label Mac address is.

I've never seen this type of packet before and the face the this device died and is spitting these out continuously Is very interesting.

The Hardware is an XBlue X-50 Phone IP PBX all-in one box with a NAT router.

Anybody know where these type of packets would normally be used or show up?
First time I've seen these ever.
Or noticed them anyhow.

Thanks!

Steve 

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{E99B9D26-C0CB-4C1F-BA28-62A94F6D740D}, id 0
Ethernet II, Src: 02:50:c2:3b:70:00 (02:50:c2:3b:70:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: 02:50:c2:3b:70:00 (02:50:c2:3b:70:00)
        Address: 02:50:c2:3b:70:00 (02:50:c2:3b:70:00)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: CSM_ENCAPS Protocol (0x889b)
CSM_ENCAPS
    Opcode: Control Packet (0x0001)
    Sequence Number: 7
    Channel Number: 0x0000
    Length: 0
    Index: 0
    Class: 32
    Type: 4
    Function Code:   (0x0000)
Control: 0x00
    0... .... = Packet Bit: Message Packet
    .0.. .... = ACK Suppress Bit: ACK Required
    .... ...0 = Endian Bit: Big Endian
edit retag flag offensive close merge delete

Comments

Clear the LG bit (02) in the MAC address (00:50:c2:3b:70:00) then check the Wireshark OUI Lookup :

00:50:C2:3B:70:00/36 Mindspeed Technologies

A little info on the protocol here

Ethereal-dev: [Ethereal-dev] CSM_ENCAPS dissector
Chuckc gravatar imageChuckc ( 2020-09-02 15:18:09 +0000 )edit

@Chuckc - The packet detail snippet above shows the source MAC address as 02:50:c2:3b:70:00 (a locally admin address) and NOT the 00:50:C2:3B:70:00 you looked up.

Jim Young gravatar imageJim Young ( 2020-09-02 18:32:02 +0000 )edit

@Jim Young still the match between Mindspeed OUI and their Ethertype is striking, so I would guess the same: the OUI is theirs, the host part is non-unique.

Jaap gravatar imageJaap ( 2020-09-03 05:36:23 +0000 )edit

My experience has been if the LG bit is set, clearing it and doing an OUI lookup often leads to a result.
See this Wireshark bug/issue discussion.

Also the manual for the X50 shows

Supplementary Processor 1x DSP Mindspeed M82351
Chuckc gravatar imageChuckc ( 2020-09-03 05:38:49 +0000 )edit

Thanks for clarifying. Overlooked the "Clear the LG bit" line in the first comment. Completely agree that clearing LG "and doing a lookup often leads to a result.". I should have thought a little more before my earlier comment.

Jim Young gravatar imageJim Young ( 2020-09-03 12:14:34 +0000 )edit
add a comment