Ask Your Question
0

What are these packets with an Ethertype of 0x0e00?

asked 2019-03-30 22:32:06 +0000

Yalek W gravatar image

updated 2019-03-31 06:55:01 +0000

Guy Harris gravatar image

It turns out that Whenever a device connects to the network on my WNDR3800 router, wireshark shows the unknown ethertype "0x0e00" as its protocol. When really, this ethertype is very special only to that, or other WNDR3800 routers depending on configuration as an NDP or 'Neighbor Discovery protocol" connection, as to which, wireshark does not have a protocol listing for that yet, and needs to be added ASAP.

To prove this, the following packet capture is of 8 ICMPv6 messages (counted as the 5 regular for NDP according to wikipedia, being router Router Solicitation (packets 36, 37, 46, and 63), Router Advertisement, Neighbor Solicitation (packet 21), Neighbor Advertisement, and Redirect (maybe a Multicast Listener Report messages on packets 25 and 35?)) in accordance to this amazing discovery. I hope this stumps this community as I had just made this discovery just recently.

Note: this discovery had been filtered to one device, an acer tablet, so that it can be proved to that as easy as possible, as every other device also does the same thing with this router in this house.

edit retag flag offensive close merge delete

Comments

Hi Yalek,

I'm sorry to hear about the strange ethertype behavior. What will help us most is links (from dropbox, goolge drive, etc.) to the packet captures. Screenshots can also be helpful in addition to pcaps to identify relevant GUI features or elements.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-30 22:43:42 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted
0

answered 2019-03-31 00:49:48 +0000

Guy Harris gravatar image

wireshark shows the unknown ethertype "0x0e00" as its protocol. When really, this ethertype is very special only to that, or other WNDR3800 routers depending on configuration as an NDP or 'Neighbor Discovery protocol" connection, as to which, wireshark does not have a protocol listing for that yet, and needs to be added ASAP.

It won't be Possible until somebody indicates what that protocol is and what it's name is, so "as soon as possible" means "not until somebody indicates that".

0E00 is not in the IEEE listing of Ethernet types.

edit flag offensive delete link more

Comments

And yes, this was a capture on wifi, for those who are wondering

Yalek W gravatar imageYalek W ( 2019-03-31 15:54:35 +0000 )edit
0

answered 2019-03-31 06:54:39 +0000

Guy Harris gravatar image

The one and only packet in your capture with an Ethernet type of 0x0e00 has, following the Ethernet header:

  • AA AA 03, which would be the DSAP, SSAP, and control field (Unnumbered Information) of an 802.2 header, with AA meaning SNAP;
  • 00 00 00 00 06 00, which would be the OUI if it were a SNAP frame, but which is also a big-endian value equal to 1536, which is 18 bytes more than the maximum Ethernet frame size counting the FCS.

This was, I assume, a capture on a Wi-Fi network; it may either be that 1) the device in question is transmitting bad packets or 2) the hardware and software that's turning Wi-Fi packets into "fake Ethernet" packets is mangling some packets.

The mere fact that the host with the MAC address 68:b3:5e:18:cf:4e happens to be transmitting, among other things, ICMPv6 packets doing Neighbor Discovery does not, in and of itself, mean that the one 0x0e00 packet it also transmits has anything whatsoever to do with ICMPv6 Neighbor Discovery.

edit flag offensive delete link more

Comments

Hmm interesting...ok. I guess I was wrong then?

Yalek W gravatar imageYalek W ( 2019-03-31 15:53:10 +0000 )edit
0

answered 2019-03-30 22:41:34 +0000

grahamb gravatar image

A photo isn't all that helpful. What is helpful is the actual Wireshark capture. This should be attached to an enhancement request at the Wireshark Bugzilla.

edit flag offensive delete link more

Comments

Got your capture in a link to drive, I cannot upload the actual file directly here yet.

Yalek W gravatar imageYalek W ( 2019-03-30 22:56:18 +0000 )edit

https://drive.google.com/open?id=1i-7... ^^ Link to the packet capture.

and link, to Neighbor discovery protocol:

https://en.wikipedia.org/wiki/Neighbo...

Yalek W gravatar imageYalek W ( 2019-03-31 02:43:13 +0000 )edit

Yes, we're quite aware of the Neighbor Discovery Protocol...

...which uses the Ethernet type 0x86dd, not 0x0e00.

Guy Harris gravatar imageGuy Harris ( 2019-03-31 06:37:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-03-30 22:32:06 +0000

Seen: 1,073 times

Last updated: Mar 31 '19