Ask Your Question
0

How do I rewrite the Ethernet II protocol type to 0x8100?

asked 2018-03-19 21:38:41 +0000

whammy gravatar image

updated 2018-03-24 20:22:34 +0000

grahamb gravatar image

Background: I've got a remote capture box that's apparently losing its marble. The traffic being captured is all 802.1Q tagged, but the pcap files have the EII protocol bytes (13/14) rewritten to randomish values. At first I thought it was the span port on the Juniper switch, so I swapped it for a Cisco switch, and the problem followed along dutifully. It's quite odd, the rest of the packet data seems more or less intact, and a smallish percentage (~30%) come through unscathed. A truck roll to replace the capture box isn't in the cards for a couple weeks, and I at least need a whiff of the flows to solve an immediate problem.

Rewriting the protocol type to 0x8100 (13th and 14th bytes) on all the frames in the capture would get me close enough. Has anyone attempted this, and if so, what tool did you use?

Edit:

They look like:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
    Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Destination (resolved): Cisco_69:e7:e0]
        Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Address (resolved): Cisco_69:e7:e0]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Source (resolved): Cisco_4a:a1:31]
        Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Address (resolved): Cisco_4a:a1:31]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: Unknown (0x1f39)

^^^^ the 'Type: Unknown' hex value is apparently random in the bulk of the trace, and I want those two bytes to get changed to 0x8100 in all frames in the trace, as in the following frame:

Ethernet II, Src: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31), Dst: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
    Destination: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Destination (resolved): Cisco_69:e7:e0]
        Address: Cisco_69:e7:e0 (54:a2:74:69:e7:e0)
        [Address (resolved): Cisco_69:e7:e0]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Source (resolved): Cisco_4a:a1:31]
        Address: Cisco_4a:a1:31 (e4:c7:22:4a:a1:31)
        [Address (resolved): Cisco_4a:a1:31]
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1Q Virtual LAN (0x8100)

Apologies for any lack of clarity in the original question, hopefully this makes my request less obtuse.

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2018-03-20 14:27:18 +0000

cmaynard gravatar image

If your analysis doesn't require the VLAN tags, you can use editcap to remove them, e.g.:

editcap -C 12:4 vlan-tagged-file.pcap novlan-tagged-file.pcap
edit flag offensive delete link more

Comments

Maybe my head is once again in temporary brain lapse mode, but as far as I see it this command would cut away the VLAN tags but not fix the broken Ethertype bytes? They would have to be set to 0x0800, 0x0806 or 0x86dd, depending on the frame contents, don't they?

Jasper gravatar imageJasper ( 2018-03-20 16:31:30 +0000 )edit

The Ethernet Frame Format with 802.1Q Header resembles:

|    Destination MAC    |       Source MAC      | 802.1Q Header | EType | ...
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ ...
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |10 |11 |12 |13 |14 |15 |16 |17 |18 | ...
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ ...

Removing the 4 bytes comprising the 802.1Q Header (bytes 13-16) effectively just shifts the rest of the bytes, including the Ethertype into the position they would be in if there hadn't ever been a VLAN tag there in the first place.

I believe Tracewrangler even has support for this very task.

cmaynard gravatar imagecmaynard ( 2018-03-20 17:07:18 +0000 )edit

right, so the right Ethertype from the VLAN tag will move in place of the broken 0x8100 type. Temporary brain lapse :-)

TraceWrangler can do that, yes, but I guess it will choke on the Ethertype of not being 0x8100 and say there is no VLAN tag :-)

Jasper gravatar imageJasper ( 2018-03-20 17:16:11 +0000 )edit

Apparently my descriptive language for ethertype is in error, per the header format. The frames that are bungled have the correct PCP/DEI/VID in place, the TPID is what is mangled. Tracewrangler did dutifully remove the VLAN tags, but left the garbage bytes where the TPID would normally be in place, leaving an unrecognizable ethertype in the header which causes Wireshark to decode it incorrectly. My sed/awk/regex fu is basically zero, which about the only tool currently at my disposal that I imagine would do the deed; export the trace into text format with tshark, munch on it, then import it back (text2pcap?) after sanitizing. I can describe it simply, but getting there isn't quite so simple: overwrite bytes 13/14 to 0x8100 in all frames.

whammy gravatar imagewhammy ( 2018-03-20 18:25:12 +0000 )edit

Can you send me a sample trace to jasper[ät]packet-foo.com so I can take a look? If it's not too complicated I can put that functionality into a nightly build of TraceWrangler tonight..

Jasper gravatar imageJasper ( 2018-03-20 18:29:19 +0000 )edit
0

answered 2018-03-19 21:49:13 +0000

grahamb gravatar image

Maybe editcap using the -T option?

edit flag offensive delete link more

Comments

No dice (though I actually did try your suggestion). The frames are correctly marked as Ethernet, I want to change the protocol type so it recognizes the VLAN tags that are present in the raw data.

whammy gravatar imagewhammy ( 2018-03-19 22:19:46 +0000 )edit

OK, I'm not sure if TraceWrangler can do this, if not then I think it will have to be some form of programming\scripting language that has a library that understands pcap format files and allows you to modify and correct the protocol type in the Ethernet header.

grahamb gravatar imagegrahamb ( 2018-03-19 22:47:56 +0000 )edit

A desperate way could be to use File->Export Packet Dissections -> As Plain Text, check just the "packet summary line" and "packet bytes" and then use a script to process the output text into a format where the timestamp is followed by the packet bytes without the offsets, like

12:31:20.462800 ff ff ff ff ff ff 02 00 4c 4f 4f 50 08 00 45 00 00 f0 11 cd 00 00 80 11 2b cf a9 fe a8 64 a9 fe ...

and also to rewrite the ethertype value to 81 00.

Then you would read the result back in, using File -> Import from Hex Dump.

sindy gravatar imagesindy ( 2018-03-20 11:52:24 +0000 )edit

TraceWrangler can change the Ethertype under some circumstances (e.g. when converting Linux cooked to pseudo Ethernet), but this specific case is not one of them.

In general this wouldn't be a complex thing to add to the Edit tasks settings, but since it's a special case that will rarely (if ever) happen to anyone again it would only make sense to code this if no other answer works. Let me know :-)

Jasper gravatar imageJasper ( 2018-03-20 16:28:18 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-19 21:38:41 +0000

Seen: 87 times

Last updated: Mar 20