Wireshark sees Ethernet LLC, but packet is probably Ethernet raw
Hello,
I'm working with some packet traces that appear to have 802.3 raw Ethernet. In other words, after the destination and source MAC addresses, instead of an Ethertype like 0x0800, I see a length field, and then content, e.g.
Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 7, 2019 18:19:10.073296000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1557253150.073296000 seconds
[Time delta from previous captured frame: 0.000003000 seconds]
[Time delta from previous displayed frame: 0.000003000 seconds]
[Time since reference or first frame: 0.000024000 seconds]
Frame Number: 3
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: fc:ec:da:49:e0:10
Address: fc:ec:da:49:e0:10
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 38:ba:f8:12:7d:bb
Address: 38:ba:f8:12:7d:bb
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Length: 56
[Expert Info (Error/Malformed): Length field value goes past the end of the payload]
[Length field value goes past the end of the payload]
[Severity level: Error]
[Group: Malformed]
Logical-Link Control
DSAP: Unknown (0x45)
0100 010. = SAP: Unknown
.... ...1 = IG Bit: Group
SSAP: LLC Sub-Layer Management (0x02)
0000 001. = SAP: LLC Sub-Layer Management
.... ...0 = CR Bit: Command
Control field: U, func=Unknown (0x0B)
000. 10.. = Command: Unknown (0x02)
.... ..11 = Frame type: Unnumbered frame (0x3)
Data (49 bytes)
Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a...
[Length: 49]
`0000 fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02 ...I..8...}..8E.
0010 0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15 [email protected]....`4.
0020 12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec .......B*W.I....
0030 01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f .(.o............
0040 a5 4a .J
`
You can see Tshark (and Wireshark) decode this as Ethernet with a LLC header. I need it to decode this as Ethernet with a raw header. I'm trying to troubleshoot why this traffic exists, as it is unexpected. It could be an issue with Linux on VirtualBox on Linux.
I'm familiar with "decode as" but I don't see how to apply it in this situation, or if Wireshark can help with this format.
Thank you,
RIchard
What do you mean by "a raw header"?
Hi Guy,
I'm referring to the second format in the figure in this post:
https://networkengineering.stackexcha...
So the header in the frame I shared appears to be:
DST MAC / SRC MAC / Length / Data
instead of
DST MAC / SRC MAC / Length / DSAP / SSAP / Control / Data
which is how Wireshark and Tshark are decoding it.
Richard