Ask Your Question

IP over LLC with a twist

asked 2023-05-31 19:36:12 +0000

Eddi gravatar image

Dear Wireshark Community

I stumbled over a trace file with an non-standard version of IP over LLC. Wireshark can decode regular IP over LLC, if the organization code is set to zero:

Logical-Link Control
    DSAP: SNAP (0xaa)
    SSAP: SNAP (0xaa)
    Control field: U, func=UI (0x03)
    Organization Code: 00:00:00 (Officially Xerox, but
    Type: IPv4 (0x0800)

Alas, in my trace file the organization code is specific to the manufacturer Hirschmann:

Logical-Link Control
    DSAP: SNAP (0xaa)
    SSAP: SNAP (0xaa)
    Control field: U, func=UI (0x03)
    Organization Code: 00:80:63 (Richard Hirschmann Gm
    Protocol ID: 0x0800

Does anybody have an idea, how to get Wireshark to to treat this as IP?

All hints are appreciated


edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2023-06-04 16:55:35 +0000

SYN-bit gravatar image

While @Jaap's solution will make it work in any case straight out-of-the-box, you could run editcap on the file to make the IPv4 part readable:

$ editcap -C 0:30 -T rawip4 Hirschmann_IP_over_LLC.pcapng new.pcapng
$ tshark -r new.pcapng 
    1 0.000000000 → UDP 92 0 → 0 Len=30
    2 0.001387232 → UDP 92 0 → 0 Len=30

The -C 0:30 deletes the first 30 bytes of each packet, leaving only the bare IPv4 content intact. And the -T rawip4 will change the link layer type of the packets to RAWIPv4, which wireshark can read.

edit flag offensive delete link more

answered 2023-06-01 09:09:28 +0000

Jaap gravatar image

You would have to add a dissector for that OUI which registers to the LLC dissector using llc_add_oui(). That dissector, for the Hirschmann OUI, would have to interpret the Protocol ID (0x0800) and hand off the rest of the tvb to the IP dissector.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-05-31 19:36:12 +0000

Seen: 165 times

Last updated: Jun 04 '23