IP over LLC with a twist

asked 2023-05-31 19:36:12 +0000

Dear Wireshark Community

I stumbled over a trace file with an non-standard version of IP over LLC. Wireshark can decode regular IP over LLC, if the organization code is set to zero:

Logical-Link Control
    DSAP: SNAP (0xaa)
    SSAP: SNAP (0xaa)
    Control field: U, func=UI (0x03)
    Organization Code: 00:00:00 (Officially Xerox, but
    Type: IPv4 (0x0800)

Alas, in my trace file the organization code is specific to the manufacturer Hirschmann:

Logical-Link Control
    DSAP: SNAP (0xaa)
    SSAP: SNAP (0xaa)
    Control field: U, func=UI (0x03)
    Organization Code: 00:80:63 (Richard Hirschmann Gm
    Protocol ID: 0x0800

Does anybody have an idea, how to get Wireshark to to treat this as IP?

All hints are appreciated


answered 2023-06-04 16:55:35 +0000

While @Jaap's solution will make it work in any case straight out-of-the-box, you could run editcap on the file to make the IPv4 part readable:

$ editcap -C 0:30 -T rawip4 Hirschmann_IP_over_LLC.pcapng new.pcapng
$ tshark -r new.pcapng 
    1 0.000000000 → UDP 92 0 → 0 Len=30
    2 0.001387232 → UDP 92 0 → 0 Len=30

The -C 0:30 deletes the first 30 bytes of each packet, leaving only the bare IPv4 content intact. And the -T rawip4 will change the link layer type of the packets to RAWIPv4, which wireshark can read.

answered 2023-06-01 09:09:28 +0000

You would have to add a dissector for that OUI which registers to the LLC dissector using llc_add_oui(). That dissector, for the Hirschmann OUI, would have to interpret the Protocol ID (0x0800) and hand off the rest of the tvb to the IP dissector.

