Ask Your Question
0

What is a valid LLC SNAP indicator?

asked 2017-11-26 22:52:26 +0000

Matt Davis gravatar image

updated 2017-11-27 00:10:14 +0000

I'm trying to solidify some things in my head.

Wikipedia indicates that a SNAP extension is in use if the DSAP and SSAP values in the IEEE 802.3 header are 0xAA or 0xAB. The Network Sorcery page indicates that only 0xAA indicates a SNAP extension, and this seems to be confirmed by Wireshark 2.4.2. If either of the DSAP/SSAP values are 0xAB, Wireshark does not process the upper layer as the specified protocol (e.g., CDP, PAgP, etc.), but instead treats it as a data block.

Assuming that the DSAP and SSAP values are both 0xAA (indicating the SNAP extension is in use), if the Control field in the IEEE 802.3 LLC header is anything other than 0x03, Wireshark breaks out the LLC/SNAP header correctly, but it treats the upper layer as a data block, not the specified protocol.

  1. For LLC/SNAP, is it required for the SAPs to be 0xAA or can either/both be 0xAB? Perhaps this was once the case and is no longer used in practice?
  2. Is it required for the Control field to be 0x03, or can it be a 1- or 2-byte variety? Perhaps this was once the case and is no long used in practice?
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2017-11-27 10:25:33 +0000

Guy Harris gravatar image

For LLC/SNAP, is it required for the SAPs to be 0xAA or can either/both be 0xAB?

IEEE Std 802-2014 says it can be either one. According to IEEE Std 802.2-1998:

  • the low-order bit of a DSAP is the Individual/Group (I/G) bit; 0xAA and 0xAB differ only in the value of that bit.
  • the low-order bit of an SSAP is the Command/Response (C/R) bit; 0xAA and 0xAB differ only in the value of that bit.

The I/G bit indicates whether "the address is an individual DSAP address" (if 0) or "the address is a group DSAP address that identifies none, one or more, or all of the service access points that are serviced by the LLC entity" (if 1).

The C/R bit indicates whether "the LLC PDU is a command" (if 0) or "the LLC PDU is a response" (if 1).

Is it required for the Control field to be 0x03, or can it be a 1- or 2-byte variety?

A SNAP frame can be a UI frame, and "other information-carrying LPD PDU types may also be used with SNAP identifiers", as per IEEE Std 802-2014. I don't know what other frame types are used, or how they are interpreted; simply treating the payload the same way the payload of a UI frame wouldn't necessarily work, so, to interpret them in Wireshark, we'd probably have to have separate tables to handle them, rathe than just using the same tables we use for UI frames.

edit flag offensive delete link more

Comments

Thanks, @Guy Harris.

Matt Davis gravatar imageMatt Davis ( 2017-11-29 01:36:57 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-26 22:52:26 +0000

Seen: 37 times

Last updated: Nov 27