What are these packets with an Ethertype of 0x0e00?

asked 2019-03-30 22:32:06 +0000

Yalek W
1 ●3 ●2

updated 2019-03-31 06:55:01 +0000

Guy Harris
19890 ●3 ●633 ●207

It turns out that Whenever a device connects to the network on my WNDR3800 router, wireshark shows the unknown ethertype "0x0e00" as its protocol. When really, this ethertype is very special only to that, or other WNDR3800 routers depending on configuration as an NDP or 'Neighbor Discovery protocol" connection, as to which, wireshark does not have a protocol listing for that yet, and needs to be added ASAP.

To prove this, the following packet capture is of 8 ICMPv6 messages (counted as the 5 regular for NDP according to wikipedia, being router Router Solicitation (packets 36, 37, 46, and 63), Router Advertisement, Neighbor Solicitation (packet 21), Neighbor Advertisement, and Redirect (maybe a Multicast Listener Report messages on packets 25 and 35?)) in accordance to this amazing discovery. I hope this stumps this community as I had just made this discovery just recently.

Note: this discovery had been filtered to one device, an acer tablet, so that it can be proved to that as easy as possible, as every other device also does the same thing with this router in this house.

edit retag flag offensive close merge delete

Comments

Hi Yalek,

I'm sorry to hear about the strange ethertype behavior. What will help us most is links (from dropbox, goolge drive, etc.) to the packet captures. Screenshots can also be helpful in addition to pcaps to identify relevant GUI features or elements.

Ross Jacobs ( 2019-03-30 22:43:42 +0000 )edit

add a comment

3 Answers

Sort by » oldest newest most voted

answered 2019-03-31 00:49:48 +0000

Guy Harris
19890 ●3 ●633 ●207

wireshark shows the unknown ethertype "0x0e00" as its protocol. When really, this ethertype is very special only to that, or other WNDR3800 routers depending on configuration as an NDP or 'Neighbor Discovery protocol" connection, as to which, wireshark does not have a protocol listing for that yet, and needs to be added ASAP.

It won't be Possible until somebody indicates what that protocol is and what it's name is, so "as soon as possible" means "not until somebody indicates that".

0E00 is not in the IEEE listing of Ethernet types.

edit flag offensive delete link

Comments

And yes, this was a capture on wifi, for those who are wondering

Yalek W ( 2019-03-31 15:54:35 +0000 )edit

add a comment

answered 2019-03-31 06:54:39 +0000

Guy Harris
19890 ●3 ●633 ●207

The one and only packet in your capture with an Ethernet type of 0x0e00 has, following the Ethernet header:

AA AA 03, which would be the DSAP, SSAP, and control field (Unnumbered Information) of an 802.2 header, with AA meaning SNAP;
00 00 00 00 06 00, which would be the OUI if it were a SNAP frame, but which is also a big-endian value equal to 1536, which is 18 bytes more than the maximum Ethernet frame size counting the FCS.

This was, I assume, a capture on a Wi-Fi network; it may either be that 1) the device in question is transmitting bad packets or 2) the hardware and software that's turning Wi-Fi packets into "fake Ethernet" packets is mangling some packets.

The mere fact that the host with the MAC address 68:b3:5e:18:cf:4e happens to be transmitting, among other things, ICMPv6 packets doing Neighbor Discovery does not, in and of itself, mean that the one 0x0e00 packet it also transmits has anything whatsoever to do with ICMPv6 Neighbor Discovery.

edit flag offensive delete link

Comments

Hmm interesting...ok. I guess I was wrong then?

Yalek W ( 2019-03-31 15:53:10 +0000 )edit

add a comment

answered 2019-03-30 22:41:34 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

A photo isn't all that helpful. What is helpful is the actual Wireshark capture. This should be attached to an enhancement request at the Wireshark Bugzilla.