why protocol result is 0x8892 not PNIO-PS

asked 2021-04-14 09:27:11 +0000

zmmmm gravatar image

updated 2021-04-14 11:21:59 +0000

grahamb gravatar image

in linux environment

if user/test the column protocol is 0x8892 

[test@pekphispre03021 test]$ tshark -r test.pcapng -T fields -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol -E header=n -E separator=, -E occurrence=f
RealtekS_68:0f:eb,Broadcast,ARP
RealtekS_68:0f:eb,Broadcast,ARP
RealtekS_68:0f:eb,Broadcast,ARP
NewH3CTe_42:71:39,LLDP_Multicast,LLDP
00:f1:ca:00:c1:33,All-Stations-Address,0x0941
Raisecom_91:03:fd,Broadcast,ARP
Raisecom_d8:32:c2,Broadcast,ARP
RealtekS_68:0f:eb,Broadcast,ARP
B&RIndus_16:4f:22,PN-MC_00:00:00,0x8892
Siemens_77:a5:97,B&RIndus_16:4f:22,0x8892
00:f1:ca:00:c1:33,All-Stations-Address,0x092c
B&RIndus_48:5a:92,PN-MC_00:00:00,0x8892
B&RIndus_48:5a:92,PN-MC_00:00:00,0x8892
B&RIndus_48:5a:92,PN-MC_00:00:00,0x8892
B&RIndus_48:5a:92,PN-MC_00:00:00,0x8892
B&RIndus_48:5a:92,PN-MC_00:00:00,0x8892

if i user/root then the result is PNIO_PS

[root@pekphispre03021 test]# tshark -r test.pcapng -T fields -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol -E header=n -E separator=, -E occurrence=f
Running as user "root" and group "root". This could be dangerous.
RealtekS_68:0f:eb,Broadcast,ARP
RealtekS_68:0f:eb,Broadcast,ARP
RealtekS_68:0f:eb,Broadcast,ARP
NewH3CTe_42:71:39,LLDP_Multicast,LLDP
00:f1:ca:00:c1:33,All-Stations-Address,0x0941
Raisecom_91:03:fd,Broadcast,ARP
Raisecom_d8:32:c2,Broadcast,ARP
RealtekS_68:0f:eb,Broadcast,ARP
B&RIndus_16:4f:22,PN-MC_00:00:00,PN-DCP
Siemens_77:a5:97,B&RIndus_16:4f:22,PN-DCP
00:f1:ca:00:c1:33,All-Stations-Address,0x092c
B&RIndus_48:5a:92,PN-MC_00:00:00,PN-DCP
B&RIndus_48:5a:92,PN-MC_00:00:00,PN-DCP
B&RIndus_48:5a:92,PN-MC_00:00:00,PN-DCP
B&RIndus_48:5a:92,PN-MC_00:00:00,PN-DCP
B&RIndus_48:5a:92,PN-MC_00:00:00,PN-DCP
edit retag flag offensive close merge delete

Comments

"use test or root" what are are test and root, different captures?

grahamb gravatar imagegrahamb ( 2021-04-14 09:42:32 +0000 )edit

different linux user

zmmmm gravatar imagezmmmm ( 2021-04-14 09:44:43 +0000 )edit

Possibly different configurations per user, are you sure they are running the same tshark binary?

grahamb gravatar imagegrahamb ( 2021-04-14 10:36:50 +0000 )edit

i'm sure they are running the same tshark binary

zmmmm gravatar imagezmmmm ( 2021-04-14 11:10:51 +0000 )edit

PN-DCP depends on layer pn_rt (see packet-pn-dcp.c)

Downloads$ tshark -r ChangeIPUsingDCP.pcap -z io,phs -q

===================================================================
Protocol Hierarchy Statistics
Filter:

frame                                    frames:6 bytes:412
  eth                                    frames:6 bytes:412
    pn_rt                                frames:4 bytes:292
      pn_dcp                             frames:4 bytes:292
    arp                                  frames:2 bytes:120
===================================================================

"Possibly different configurations per user" - maybe there is a difference between profiles.
Look at making a profile that works, then copying between users and specifying with -C option. (tshark man page)

Chuckc gravatar imageChuckc ( 2021-04-14 14:53:17 +0000 )edit
see more comments